NTUSER.DAT is the single most information-dense forensic artifact in a Windows user profile. This per-user registry hive records program execution history (UserAssist), typed file paths and URLs (TypedPaths, TypedURLs), recently accessed documents (RecentDocs), mapped network drives, persistence mechanisms (Run/RunOnce keys), and hundreds of software configuration settings that collectively reconstruct a comprehensive picture of user activity.
What Is NTUSER.DAT?
Every Windows user profile contains a file named NTUSER.DAT in the root of the user’s profile directory (C:\Users\{username}\NTUSER.DAT). This file is a registry hive — a binary container in the regf (registry file) format — that is loaded into the HKEY_CURRENT_USER (HKCU) registry tree when the user logs on. All user-specific registry keys written under HKCU during the session are persisted to NTUSER.DAT when the user logs off or when the system performs periodic hive flushes.
NTUSER.DAT is distinct from the system-level registry hives (SAM, SECURITY, SYSTEM, SOFTWARE) stored in C:\Windows\System32\config\. It contains only user-scoped data: application settings, shell preferences, recent file lists, execution history, and persistence entries that apply to that specific user account. A companion hive, UsrClass.dat (located at C:\Users\{user}\AppData\Local\Microsoft\Windows\UsrClass.dat), contains additional user-specific COM class registrations and ShellBags data.
For forensic investigators, NTUSER.DAT is invaluable because it consolidates dozens of evidence types into a single file. Rather than searching for individual artifacts scattered across the filesystem, an investigator can extract NTUSER.DAT and parse it to obtain execution history, file access patterns, persistence mechanisms, network drive mappings, and software configurations in one pass.
NTUSER.DAT is a hidden, system-protected file. It will not appear in standard directory listings unless “Show hidden files” and “Show protected operating system files” are both enabled. On a live system, the file is locked by the operating system for the currently logged-on user. Always collect it via VSS, forensic imaging, or raw-disk copy.
Location & Format
| Component | Path | Description |
|---|---|---|
| NTUSER.DAT | C:\Users\{user}\NTUSER.DAT | Primary per-user registry hive; loaded as HKCU |
| ntuser.dat.LOG1 / LOG2 | C:\Users\{user}\ntuser.dat.LOG1 | Transaction log files; contain uncommitted writes |
| UsrClass.dat | C:\Users\{user}\AppData\Local\Microsoft\Windows\UsrClass.dat | Companion hive; ShellBags, COM class registrations |
| Default profile | C:\Users\Default\NTUSER.DAT | Template hive copied when new user profiles are created |
Registry Hive Format (regf)
The regf format organizes data into 4096-byte blocks called bins. Each bin contains cells that store keys, values, security descriptors, and subkey lists. The format includes a header with a sequence number, timestamp, and checksum. Transaction logs (.LOG1, .LOG2) use a write-ahead logging model similar to ESE databases: writes are first journaled in the log files, then committed to the main hive. Forensically, the log files may contain more recent data than the main hive if the system was not cleanly shut down.
If NTUSER.DAT was not cleanly flushed (e.g., system crash, forced shutdown, or live acquisition while the user is logged on), the .LOG1 and .LOG2 files contain uncommitted transactions. Tools like Registry Explorer can replay these logs automatically. Without the logs, you may be analyzing a stale version of the hive that is missing the most recent registry writes.
Key Forensic Subkeys
NTUSER.DAT contains hundreds of subkeys, but the following are the most forensically valuable. Each maps to the HKCU\ namespace (the NTUSER.DAT\ prefix is used when analyzing the hive offline):
| Key Path (under NTUSER.DAT\) | Artifact Name | Forensic Value |
|---|---|---|
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist | UserAssist | GUI program execution: ROT-13 encoded paths, run count, focus time, last execution timestamp |
Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths | TypedPaths | Paths manually typed into Explorer address bar (e.g., \\fileserver\share) |
Software\Microsoft\Internet Explorer\TypedURLs | TypedURLs | URLs manually typed into Internet Explorer / legacy Edge address bar |
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs | RecentDocs | Recently opened documents by extension; MRU (Most Recently Used) ordered |
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU | OpenSaveMRU | Files opened/saved via common file dialog boxes; records the dialog path |
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU | LastVisitedMRU | Last directory visited per application via file dialog; links app to directory |
Software\Microsoft\Windows\CurrentVersion\Run | Run Keys | Programs that auto-start at user logon; common persistence mechanism |
Software\Microsoft\Windows\CurrentVersion\RunOnce | RunOnce Keys | Programs that run once at next logon then are deleted; used for one-shot persistence |
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU | RunMRU | Commands typed into the Win+R Run dialog |
Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 | MountPoints2 | Devices and network shares mounted by the user; includes GUIDs for removable media |
Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU | Mapped Drives MRU | Network paths used when mapping drives via Explorer |
Software\Microsoft\Windows\CurrentVersion\Search\RecentApps | RecentApps | Windows 10+; application launch counts and last access times |
UserAssist Deep Dive
UserAssist is one of the most powerful execution artifacts in Windows forensics. Located at NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\, it contains two GUIDs:
{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}— Tracks executable file execution (EXE files launched via Explorer shell){F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}— Tracks shortcut file (LNK) execution
Each value name under these GUIDs is the full path to the executed program or shortcut, encoded with ROT-13 (a simple letter substitution cipher that shifts each letter 13 positions). For example, P:\Hfref\wqbr\Qbjaybnqf\zpyvrag.rkr decodes to C:\Users\jdoe\Downloads\mclient.exe. The ROT-13 encoding is trivially reversible and is not a security measure — it simply prevents casual registry browsing from revealing the data.
Each UserAssist value contains a 72-byte binary data structure (Windows 7+) with the following fields:
| Offset | Size | Field | Forensic Value |
|---|---|---|---|
| 0x04 | 4 bytes | Run Count | Number of times the program was executed via Explorer |
| 0x0C | 4 bytes | Focus Count | Number of times the application gained foreground focus |
| 0x10 | 4 bytes | Focus Time (ms) | Total milliseconds the application had foreground focus |
| 0x3C | 8 bytes | Last Execution (FILETIME) | Timestamp of the most recent execution |
UserAssist only records programs launched through the Explorer shell — via desktop shortcuts, Start Menu, taskbar pins, file associations, or direct double-click in Explorer. Programs launched from the command line (cmd.exe, powershell.exe), via scheduled tasks, or through service execution are not recorded in UserAssist. Use Prefetch, Amcache, or process creation event logs to cover those execution vectors.
What It Reveals
NTUSER.DAT answers an exceptionally broad range of investigative questions:
- Which programs did the user execute via the GUI? — UserAssist records execution path, run count, focus time, and last execution timestamp for every program launched through Explorer.
- What paths did the user type into Explorer? — TypedPaths records UNC paths, local paths, and environment variables entered into the Explorer address bar — proving the user intentionally navigated to a location.
- What documents did the user recently open? — RecentDocs tracks files by extension with MRU ordering. OpenSavePidlMRU tracks files accessed through common file dialogs (Open/Save).
- What commands did the user type into the Run dialog? — RunMRU captures Win+R commands including
cmd,powershell,\\server\share, and application names. - What persistence mechanisms exist for this user? — Run and RunOnce keys list programs that auto-start at this user’s logon. Malware frequently writes to these keys.
- What network shares or removable media did the user access? — MountPoints2 records every volume and UNC path the user mounted, including USB drives, network shares, and ISO/VHD mounts.
- What mapped network drives were configured? — The Map Network Drive MRU and
Networksubkey show persistent and recent network drive mappings. - How long did the user actively use a program? — UserAssist FocusTime provides total foreground usage duration in milliseconds.
Forensic Use Cases
1. Proving Intentional Access to Restricted Data
An employee claims they “accidentally” accessed a restricted network share containing executive compensation data. NTUSER.DAT’s TypedPaths key contains the entry \\HRSERVER\Exec_Comp\2026, proving the user manually typed the UNC path into Explorer’s address bar rather than clicking a link or shortcut. The MountPoints2 key confirms the share was mounted. RecentDocs shows .xlsx files from that directory in the MRU list. UserAssist shows Microsoft Excel was executed 3 minutes after the TypedPaths entry was created.
2. Identifying Persistence After Malware Removal
Endpoint detection removed a malicious executable from disk, but the system re-infects after every reboot. The Run key at NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run contains a value named WindowsUpdate pointing to C:\Users\{user}\AppData\Roaming\svchost.exe. The EDR removed the executable but did not clean the registry persistence key. Every logon, the system attempts to execute the deleted binary — and if the malware has a dropper component elsewhere, it recreates the file.
3. Reconstructing Deleted File Access History
A user deleted their browser history and emptied the Recycle Bin. However, NTUSER.DAT’s RecentDocs key retains MRU-ordered entries for recently opened files, including documents that have been deleted. The OpenSavePidlMRU key shows that the user saved files to F:\USB_Export\ via a Save As dialog in a document editor. The LastVisitedPidlMRU key links the specific application to the directory it last visited, proving which application was used to save files to the USB drive.
4. Insider Threat Timeline
UserAssist data is extracted from three months of VSS snapshots of NTUSER.DAT, revealing that a departing employee’s usage of WinSCP (an SFTP client) increased from 0 executions to 47 executions in the final two weeks of employment. The FocusTime field shows 14 hours of active use. TypedPaths shows the employee typed \\FILESERVER\Engineering\Designs into Explorer 23 times during the same period. MountPoints2 shows a new USB device (volume GUID not previously seen) was first mounted one week before the resignation notice.
5. RunMRU as Evidence of Technical Sophistication
In an unauthorized access investigation, the RunMRU key reveals commands like cmd /k whoami /priv, powershell -ep bypass, and regedit. These entries prove the user executed administrative commands through the Run dialog, demonstrating technical intent and capability beyond a typical end user. The MRU order reconstructs the sequence of commands, and the key’s last-write timestamp provides a time anchor.
Acquisition Methods
NTUSER.DAT is locked by the operating system while the user is logged on. Direct copy of a locked hive will fail or produce an inconsistent copy. Use Volume Shadow Copy, forensic imaging, or a raw-disk copy utility. Always collect the transaction logs (ntuser.dat.LOG1, ntuser.dat.LOG2) and the companion UsrClass.dat hive alongside NTUSER.DAT.
Live System — Volume Shadow Copy
:: Create a Volume Shadow Copy vssadmin create shadow /for=C: :: Copy NTUSER.DAT and transaction logs from the shadow copy copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Users\jdoe\NTUSER.DAT C:\Evidence\ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Users\jdoe\ntuser.dat.LOG1 C:\Evidence\ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Users\jdoe\ntuser.dat.LOG2 C:\Evidence\ :: Also collect UsrClass.dat copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Users\jdoe\AppData\Local\Microsoft\Windows\UsrClass.dat C:\Evidence\
Live System — KAPE / Raw Copy
:: KAPE target for registry hives kape.exe --tsource C: --tdest C:\Evidence\KAPE_Output --target RegistryHives :: RawCopy for locked file access RawCopy.exe /FileNamePath:C:\Users\jdoe\NTUSER.DAT /OutputPath:C:\Evidence\ :: Velociraptor collection :: Artifact: Windows.KapeFiles.Targets with target "RegistryHives"
Forensic Image — Direct Extraction
# Mount forensic image read-only mount -o ro,noexec,nodev /dev/sdb1 /mnt/evidence # Copy NTUSER.DAT and logs for all users for user in /mnt/evidence/Users/*/; do uname=$(basename "$user") mkdir -p /analysis/registry/"$uname" cp "$user"NTUSER.DAT /analysis/registry/"$uname"/ 2>/dev/null cp "$user"ntuser.dat.LOG* /analysis/registry/"$uname"/ 2>/dev/null cp "$user"AppData/Local/Microsoft/Windows/UsrClass.dat /analysis/registry/"$uname"/ 2>/dev/null done
Parsing Tools & Analysis
| Tool | Author | License | Output | Notes |
|---|---|---|---|---|
| Registry Explorer | Eric Zimmerman | Free | GUI | Industry standard; transaction log replay; bookmarks for forensic keys; hex/decoded views |
| RECmd | Eric Zimmerman | Free | CSV | CLI companion to Registry Explorer; batch processing with plugin system |
| RegRipper | Harlan Carvey | Open source | Text / TLN | Plugin-based parser; extensive plugin library for forensic keys; rip.pl CLI |
| python-registry | Will Ballenthin | Open source | Python API | Programmatic hive parsing for custom analysis scripts |
| Autopsy | Sleuth Kit | Open source | GUI | Built-in registry parser in the Recent Activity ingest module |
| yarp | Maxim Suhanov | Open source | Python API | Advanced hive parser with transaction log support and deleted key recovery |
Parsing with RECmd (Batch Mode)
:: Parse NTUSER.DAT using the built-in batch file for all forensic keys RECmd.exe -f C:\Evidence\NTUSER.DAT --bn RECmd\BatchExamples\RECmd_Batch_MC.reb --csv C:\Analysis\RECmd_Output :: Output files include parsed UserAssist, TypedPaths, RecentDocs, :: Run keys, MountPoints2, and many more forensic artifacts
Parsing with RegRipper
# Run all NTUSER.DAT plugins rip.pl -r /analysis/registry/jdoe/NTUSER.DAT -f ntuser > /analysis/rr_ntuser_output.txt # Run specific plugins rip.pl -r /analysis/registry/jdoe/NTUSER.DAT -p userassist rip.pl -r /analysis/registry/jdoe/NTUSER.DAT -p typedpaths rip.pl -r /analysis/registry/jdoe/NTUSER.DAT -p recentdocs rip.pl -r /analysis/registry/jdoe/NTUSER.DAT -p run
UserAssist Decoder Script
import codecs, struct, datetime from Registry import Registry reg = Registry.Registry('/analysis/registry/jdoe/NTUSER.DAT') ua_key = reg.open('Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist') for guid_key in ua_key.subkeys(): count_key = guid_key.subkey('Count') for val in count_key.values(): # Decode ROT-13 name name = codecs.decode(val.name(), 'rot_13') data = val.value() if len(data) >= 72: run_count = struct.unpack_from('<I', data, 4)[0] focus_count = struct.unpack_from('<I', data, 12)[0] focus_ms = struct.unpack_from('<I', data, 16)[0] filetime = struct.unpack_from('<Q', data, 60)[0] if filetime > 0: ts = datetime.datetime(1601,1,1) + datetime.timedelta(microseconds=filetime//10) else: ts = 'N/A' if run_count > 0: print(f'{name}') print(f' Runs: {run_count} Focus: {focus_count} FocusTime: {focus_ms/1000:.0f}s Last: {ts}') print()
Retention & Persistence
| Property | Behavior |
|---|---|
| Lifespan | NTUSER.DAT persists for the lifetime of the user profile; deleted only when the profile is removed |
| Survives reboot | Yes — hive is written to disk at logoff and during periodic flush operations |
| Survives application uninstall | Partially — well-behaved uninstallers remove their registry keys, but UserAssist, RecentDocs, and MRU entries typically remain |
| UserAssist entries | Persist indefinitely; no automatic pruning; entries accumulate over the profile’s lifetime |
| RecentDocs entries | MRU-ordered; old entries are pushed out as new files are opened; typically retains last ~150 entries per extension |
| TypedPaths / TypedURLs | Retain last ~25 entries (MRU window); oldest entries replaced |
| Run key entries | Persist until explicitly deleted by the user, admin, or uninstaller |
| Deleted keys | Registry hive format does not zero deleted cells; deleted keys and values may be recoverable from unallocated hive space |
When a registry key or value is deleted, the regf format marks the cell as unallocated but does not overwrite the data. Tools like Registry Explorer, yarp, and reglookup-recover can scan unallocated hive space and recover deleted keys with their values and timestamps. This is particularly valuable for recovering deleted Run key persistence entries or removed software configurations.
Anti-Forensics Resilience
NTUSER.DAT has a mixed anti-forensics resilience profile. Some subkeys are targeted by cleanup tools while others are almost never cleared.
| Tool | Clears UserAssist? | Clears RecentDocs? | Clears Run Keys? | Clears TypedPaths? |
|---|---|---|---|---|
| CCleaner | No | Yes (if “Recent Documents” checked) | No | No |
| BleachBit | No | Yes (if configured) | No | No |
| Privacy Eraser | Partial (some versions) | Yes | No | Partial |
| Windows “Clear activity history” | No | Yes | No | No |
| Manual registry editing (regedit) | Possible but rare | Possible | Possible | Possible |
| SDelete / cipher /w | No (locked file) | No (locked file) | No (locked file) | No (locked file) |
UserAssist is almost never cleared by consumer anti-forensics tools. It is not included in CCleaner, BleachBit, or Windows privacy settings. The ROT-13 encoding of value names makes it non-obvious to users browsing the registry. Even technically sophisticated insiders who clear browser history, Recycle Bin, and Recent Documents rarely know that UserAssist records their GUI program execution history with timestamps and run counts.
MITRE ATT&CK Detection Mapping
NTUSER.DAT data provides evidentiary support for detecting the following MITRE ATT&CK techniques:
| Technique | Name | NTUSER.DAT Evidence |
|---|---|---|
T1547.001 T1547.001 | Registry Run Keys / Startup Folder | Run and RunOnce keys in NTUSER.DAT contain user-scoped autostart entries; primary persistence detection target |
T1112 T1112 | Modify Registry | Any unexpected or malicious registry modifications in NTUSER.DAT; compare against baseline |
T1005 T1005 | Data from Local System | RecentDocs and OpenSaveMRU entries showing access to sensitive files; TypedPaths proving intentional navigation |
T1039 T1039 | Data from Network Shared Drive | MountPoints2 and TypedPaths showing UNC paths to network shares; Map Network Drive MRU |
T1204 T1204 | User Execution | UserAssist entries showing user-initiated execution of malicious files (e.g., phishing document opened via double-click) |
T1070 T1070 | Indicator Removal | Cleared RecentDocs with intact UserAssist indicates selective cleanup; deleted Run keys recoverable from unallocated hive space |
Related Artifacts & Cross-References
Corroborating Artifacts
| Artifact | Relationship to NTUSER.DAT | Cross-Correlation Value |
|---|---|---|
| UsrClass.dat | Companion user hive; contains ShellBags and COM class data | ShellBags prove folder navigation; NTUSER.DAT UserAssist proves application execution |
| Prefetch | System-wide execution tracking | Prefetch covers command-line execution that UserAssist misses; UserAssist provides run counts and focus time that Prefetch lacks |
| Amcache.hve | Execution history with SHA-1 hashes | Amcache provides the binary hash; NTUSER.DAT provides user context and execution frequency |
| Jump Lists | Per-application file access history | Jump Lists show which files were opened by which app; NTUSER.DAT RecentDocs shows the same from a different angle |
| SRUM.db | Network and resource usage per application | SRUM network data + UserAssist execution data = complete picture of what ran and what it transferred |
| Security.evtx (4688) | Process creation with command lines | 4688 events capture command-line execution that UserAssist misses; NTUSER.DAT Run keys explain why processes auto-started |
References
- Eric Zimmerman, “Registry Explorer & RECmd” — https://ericzimmerman.github.io/
- Harlan Carvey, “RegRipper — Registry Analysis Tool” — https://github.com/keydet89/RegRipper3.0
- Didier Stevens, “UserAssist” — https://blog.didierstevens.com
- SANS Institute, “Windows Registry Forensics” — https://www.sans.org/blog/
- 13Cubed, “NTUSER.DAT Analysis for DFIR” — https://www.13cubed.com/blog
- Microsoft, “Registry Hive Format” — https://learn.microsoft.com
- ForensicArtifacts.com, “NTUSER.DAT Artifact Definition” — https://github.com/ForensicArtifacts/artifacts
- Maxim Suhanov, “yarp — Yet Another Registry Parser” — https://github.com/msuhanov/yarp
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in Windows registry forensics, user activity reconstruction, and persistence mechanism analysis across enterprise environments.
mjolnirsecurity.com — 24/7: +1 833 403 5875