User Assist key
The User Assist key contains settings and data of programs that were launched via Windows Explorer (explorer.exe).
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist
Sub keys:
Name | Description |
---|---|
{%GUID%} | The User Assist logged data |
Settings | Settings to control User Assist logging |
Note that the Settings sub key does not exist by default.
Known GUIDs
GUID | Windows Versions | Description |
---|---|---|
{0D6D4F41-2994-4BA0-8FEF-620E43CD2812} | XP, Vista | TODO assumed as: IE7 |
{5E6AB780-7743-11CF-A12B-00AA004AE837} | 2000, XP, 2003, Vista | Microsoft Internet Toolbar |
{75048700-EF1F-11D0-9888-006097DEACF9} | 2000, XP, 2003, Vista | ActiveDesktop |
{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085} | 8, 10 | |
{A3D53349-6E61-4557-8FC7-0028EDCEEBF6} | 8, 10 | |
{B267E3AD-A825-4A09-82B9-EEC22AA3B847} | 8 | |
{BCB48336-4DDD-48FF-BB0B-D3190DACB3E2} | 8.1 | |
{CAA59E3C-4792-41A5-9909-6A6A8D32490E} | 8 | |
{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} | 2008 (R2?), 7, 8, 10 | TODO assumed as: Application or Executable File Execution |
{F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442} | 8, 10 | |
{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} | 2008 (R2?), 7, 8, 10 | TODO assumed as: Shortcut File Execution |
{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD} | 8, 10 |
Note that the User Assist key does not seem to be present on NT4, therefore this functionality was likely introduced in Windows 2000.
Sometimes more information about the GUID can be found in the key:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{%GUID%}\
GUID sub key
Sub keys:
Name | Description |
---|---|
Count | Contains the User Assist log entries |
Values:
Name | Data type | Description |
---|---|---|
Version | REG_DWORD | Indicates the User Assist log format version |
Version value data
Value | Windows Versions |
---|---|
3 | 2000, XP, 2003, Vista |
5 | 2008 (R2?), 7, 8 |
Count sub key
Values:
Name | Data type | Description |
---|---|---|
%NAME% | REG_SZ | Where %NAME% is obfuscated using a technique described below. |
Windows Versions | Obfuscation technique |
---|---|
2000, XP, 2003, Vista, 2008 (R2?), 7, 8 | ROT-13 of character values in the ASCII [A-Za-z] range. + |
Values outside of this range e.g. [0-9] and values outside the basic ASCII range (>= 0x80) are not obfuscated. |
|
7 beta | Vigenère cipher with key: BWHQNKTEZYFSLMRGXADUJOPIVC |
Named value
Value | Description |
---|---|
UEME_CTLSESSION | Session identifier |
UEME_CTLCUACount:ctor | |
UEME_RUNCPL | Executed control applets (.cpl) |
UEME_RUNPATH | Executed programs |
UEME_RUNPIDL | Programs started via a PIDL (shell item list) e.g. using a Shortcut |
UEME_RUNWMCMD | Programs started via a Run Command |
UEME_UIHOTKEY | Programs started via a Hotkey |
UEME_UIQCUT | Programs started via a Quick Launch menu shortcut |
UEME_UISCUT | Programs started via a Desktop shortcut |
UEME_UITOOLBAR | Programs started via Windows Explorer Toolbar buttons |
Note does UEME stand for User Experience Monitoring Element/Extension? Note does CTL stand for client? Note does CUA stand for current user (file) associations?
With the exception of the UEME_CTLSESSION value, these values appear to use a similar data types. The structure of a data type depends on the Version value of the GUID sub key. The following versions have been observed:
version 3, that is used by Windows 2000, XP, 2003 and Vista.
version 5, that is used by Windows 2008 (R2?), 7, 8.
UEME_CTLSESSION value data
UEME_CTLSESSION value data - version 3
The UEME_CTLSESSION value data - version 3 is 8 bytes of size and consists of:
Offset | Size | Value | Description |
---|---|---|---|
0 | 4 | Unknown | |
4 | 4 | Current session identifier |
UEME_CTLSESSION value data - version 5
The UEME_CTLSESSION value data - version 5 is 1612 bytes of size and consists of:
Offset | Size | Value | Description |
---|---|---|---|
0 | 4 | 1 | Unknown (version?) |
4 | 4 | Unknown | |
8 | 4 | Unknown | |
12 | 4 | Unknown | |
16 | ... | Unknown (array of 3x records at offset 0x10, 0x224, 0x438) |
The UEME_CTLSESSION value data - version 5 record is 532 bytes of size and consists of:
Offset | Size | Value | Description |
---|---|---|---|
0 | 4 | Unknown | |
8 | 4 | Unknown | |
12 | 4 | Unknown | |
16 | ... | Unknown (UTF-16 little-endian string with end-of-string character) | |
... | ... | Unknown |
Other value data
Other value data - version 3
The other value data - version 3 is 16 bytes of size and consists of:
Offset | Size | Value | Description |
---|---|---|---|
0 | 4 | Session identifier | |
4 | 4 | Number of executions | |
8 | 8 | Last execution time, which contains a FILETIME |
Other value data - version 5
The other value data - version 5 is 72 bytes of size and consists of:
Offset | Size | Value | Description |
---|---|---|---|
0 | 4 | Unknown (Seen: 0, -1 (0xffffffff) or 1) | |
4 | 4 | Number or executions | |
8 | 4 | Unknown (sometimes referred to as number of application focuses) | |
12 | 4 | Unknown (sometimes referred to as application focus time, does its meaning differ per GUID?) | |
16 | 4 | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?) | |
20 | 4 | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?) | |
24 | 4 | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?) | |
28 | 4 | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?) | |
32 | 4 | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?) | |
36 | 4 | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?) | |
40 | 4 | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?) | |
44 | 4 | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?) | |
48 | 4 | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?) | |
52 | 4 | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?) | |
56 | 4 | Unknown, sometimes -1 (0xffffffff) | |
60 | 8 | Last execution time, contains a FILETIME or 0 if not set | |
68 | 4 | 0 | Unknown (empty value ?) |
Settings sub key
Values:
Name | Data type | Description |
---|---|---|
NoLog | REG_DWORD | Turn of logging. Set to 1 to disable logging of the User Assist information |
NoEncrypt | REG_DWORD | Turn of obfuscation of %NAME% values. Set to 1 to disable name obfuscation |