User Assist key

The User Assist key contains settings and data of programs that were launched via Windows Explorer (explorer.exe).

HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist

Sub keys:

Name	Description
{%GUID%}	The User Assist logged data
Settings	Settings to control User Assist logging

Note that the Settings sub key does not exist by default.

Known GUIDs

GUID	Windows Versions	Description
{0D6D4F41-2994-4BA0-8FEF-620E43CD2812}	XP, Vista	TODO assumed as: IE7
{5E6AB780-7743-11CF-A12B-00AA004AE837}	2000, XP, 2003, Vista	Microsoft Internet Toolbar
{75048700-EF1F-11D0-9888-006097DEACF9}	2000, XP, 2003, Vista	ActiveDesktop
{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}	8, 10
{A3D53349-6E61-4557-8FC7-0028EDCEEBF6}	8, 10
{B267E3AD-A825-4A09-82B9-EEC22AA3B847}	8
{BCB48336-4DDD-48FF-BB0B-D3190DACB3E2}	8.1
{CAA59E3C-4792-41A5-9909-6A6A8D32490E}	8
{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}	2008 (R2?), 7, 8, 10	TODO assumed as: Application or Executable File Execution
{F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442}	8, 10
{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}	2008 (R2?), 7, 8, 10	TODO assumed as: Shortcut File Execution
{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}	8, 10

Note that the User Assist key does not seem to be present on NT4, therefore this functionality was likely introduced in Windows 2000.

Sometimes more information about the GUID can be found in the key:

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{%GUID%}\

GUID sub key

Sub keys:

Name	Description
Count	Contains the User Assist log entries

Values:

Name	Data type	Description
Version	REG_DWORD	Indicates the User Assist log format version

Version value data

Value	Windows Versions
3	2000, XP, 2003, Vista
5	2008 (R2?), 7, 8

Count sub key

Values:

Name	Data type	Description
%NAME%	REG_SZ	Where %NAME% is obfuscated using a technique described below.

Windows Versions	Obfuscation technique
2000, XP, 2003, Vista, 2008 (R2?), 7, 8	ROT-13 of character values in the ASCII `[A-Za-z]` range. +
Values outside of this range e.g. `[0-9]` and values outside the basic ASCII range (>= 0x80) are not obfuscated.
7 beta	Vigenère cipher with key: BWHQNKTEZYFSLMRGXADUJOPIVC

Named value

Value	Description
UEME_CTLSESSION	Session identifier
UEME_CTLCUACount:ctor
UEME_RUNCPL	Executed control applets (.cpl)
UEME_RUNPATH	Executed programs
UEME_RUNPIDL	Programs started via a PIDL (shell item list) e.g. using a Shortcut
UEME_RUNWMCMD	Programs started via a Run Command
UEME_UIHOTKEY	Programs started via a Hotkey
UEME_UIQCUT	Programs started via a Quick Launch menu shortcut
UEME_UISCUT	Programs started via a Desktop shortcut
UEME_UITOOLBAR	Programs started via Windows Explorer Toolbar buttons

Note does UEME stand for User Experience Monitoring Element/Extension? Note does CTL stand for client? Note does CUA stand for current user (file) associations?

With the exception of the UEME_CTLSESSION value, these values appear to use a similar data types. The structure of a data type depends on the Version value of the GUID sub key. The following versions have been observed:

version 3, that is used by Windows 2000, XP, 2003 and Vista.
version 5, that is used by Windows 2008 (R2?), 7, 8.

UEME_CTLSESSION value data

UEME_CTLSESSION value data - version 3

The UEME_CTLSESSION value data - version 3 is 8 bytes of size and consists of:

Offset	Size	Value	Description
0	4		Unknown
4	4		Current session identifier

UEME_CTLSESSION value data - version 5

The UEME_CTLSESSION value data - version 5 is 1612 bytes of size and consists of:

Offset	Size	Value	Description
0	4	1	Unknown (version?)
4	4		Unknown
8	4		Unknown
12	4		Unknown
16	...		Unknown (array of 3x records at offset 0x10, 0x224, 0x438)

The UEME_CTLSESSION value data - version 5 record is 532 bytes of size and consists of:

Offset	Size	Description
0	4	Unknown
8	4	Unknown
12	4	Unknown
16	...	Unknown (UTF-16 little-endian string with end-of-string character)
...	...	Unknown

Other value data

Other value data - version 3

The other value data - version 3 is 16 bytes of size and consists of:

Offset	Size	Description
0	4	Session identifier
4	4	Number of executions
8	8	Last execution time, which contains a FILETIME

Other value data - version 5

The other value data - version 5 is 72 bytes of size and consists of:

Offset	Size	Value	Description
0	4		Unknown (Seen: 0, -1 (0xffffffff) or 1)
4	4		Number or executions
8	4		Unknown (sometimes referred to as number of application focuses)
12	4		Unknown (sometimes referred to as application focus time, does its meaning differ per GUID?)
16	4		Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
20	4		Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
24	4		Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
28	4		Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
32	4		Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
36	4		Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
40	4		Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
44	4		Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
48	4		Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
52	4		Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
56	4		Unknown, sometimes -1 (0xffffffff)
60	8		Last execution time, contains a FILETIME or 0 if not set
68	4	0	Unknown (empty value ?)

Settings sub key

Values:

Name	Data type	Description
NoLog	REG_DWORD	Turn of logging. Set to 1 to disable logging of the User Assist information
NoEncrypt	REG_DWORD	Turn of obfuscation of %NAME% values. Set to 1 to disable name obfuscation

External links

UserAssist, by Didier Stevens
Windows 7 Beta: ROT13 Replaced With Vigenère? Great Joke!
Windows-userassist-keys
libfwsi: Known Folder Identifiers