Hidden behind a layer of trivial ROT-13 obfuscation in the user’s NTUSER.DAT hive, UserAssist maintains a complete log of every GUI application a user has launched — including how many times they ran it, how long they focused on it, and exactly when they last used it. For investigators, this is a user-attributed execution artifact that directly ties program launches to a specific account.
What Is UserAssist?
UserAssist is a Windows Explorer feature that tracks GUI-based program execution in the per-user NTUSER.DAT registry hive. Every time a user launches a program through the Windows shell — via the Start menu, desktop shortcut, taskbar, File Explorer, or a direct executable double-click — Windows records the event in UserAssist. The data includes a run count, a focus time (the total seconds the application window held foreground focus), and a last execution timestamp.
UserAssist entries are stored under two GUID subkeys within NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\. The entry names appear to be gibberish — but they are simply ROT-13 encoded versions of the original file paths and shell link identifiers. This encoding was likely intended to prevent casual browsing of the data, not as a security measure. Every forensic tool decodes ROT-13 automatically.
Because UserAssist is stored in the user’s personal registry hive, it is inherently user-attributed. Unlike Shimcache (which is system-wide) or Prefetch (which is system-wide), UserAssist ties each program launch directly to the specific user account that executed it. On shared workstations or terminal servers, this attribution is essential for establishing individual responsibility.
UserAssist is the only standard Windows execution artifact that records focus time — the total seconds an application’s window was in the foreground. An insider who claims they “accidentally opened” a prohibited tool will have difficulty explaining 47 minutes of foreground focus time recorded in UserAssist.
Location & Format
Registry Path
| Property | Detail |
|---|---|
| Hive | NTUSER.DAT — C:\Users\{username}\NTUSER.DAT |
| Key path | Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count |
| Encoding | ROT-13 on value names (trivially reversible) |
| Value type | REG_BINARY (16-byte or 72-byte structure depending on OS) |
| Attribution | Per-user — each user’s NTUSER.DAT has its own UserAssist data |
GUID Subkeys
| GUID | Tracks | Description |
|---|---|---|
{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} | Executable files | Direct program execution via Explorer shell (EXE files launched by the user) |
{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} | Shortcut files (.lnk) | Programs launched via shortcuts (Start menu, desktop, taskbar, Quick Launch) |
Binary Value Structure (Windows 7+)
| Offset | Size | Field | Description |
|---|---|---|---|
0x00 | 4 bytes | Session | Session identifier |
0x04 | 4 bytes | Run Count | Total number of times the program was launched |
0x08 | 4 bytes | Focus Count | Number of times the window received focus |
0x0C | 4 bytes | Focus Time (ms) | Total milliseconds the application held foreground focus |
0x3C | 8 bytes | Last Execution | Windows FILETIME of last execution (100ns intervals since 1601-01-01) |
UserAssist value names are ROT-13 encoded. For example, P:\Hfref\wqbr\Qrfxgbc\zvzvxngm.rkr decodes to C:\Users\jdoe\Desktop\mimikatz.exe. Every forensic tool handles this automatically. In Python: import codecs; codecs.decode(encoded, 'rot_13'). The encoding provides zero security — it is trivially reversible and was never intended as protection.
What It Reveals
UserAssist provides a uniquely rich set of user-attributed execution metadata:
- Which programs did this specific user launch? — Every GUI application launched through the Windows shell is recorded with the user’s NTUSER.DAT, providing per-user attribution.
- How many times was each program launched? — The run count shows total executions. A count of 47 for a data collection tool during an insider threat investigation is significantly different from a count of 1.
- How long did the user actively use each program? — Focus time records how many seconds the application window held foreground focus. This distinguishes between “I accidentally opened it” (2 seconds) and “I used it extensively” (2,820 seconds = 47 minutes).
- When was the program last executed? — The last execution timestamp provides a precise point in time for the most recent use of each application.
- Was the program launched via shortcut or directly? — The two GUID subkeys distinguish between direct executable launches (CEBFF5CD) and shortcut-based launches (F4E57C4B), revealing how the user accessed the program.
- What was the full path of the executed program? — The ROT-13 decoded value name contains the complete file path, proving the program’s location on disk at the time of execution.
In an insider threat case, the subject claimed they “never used” the WinSCP file transfer client found installed on their workstation. UserAssist recorded 23 executions with a total focus time of 4,260 seconds (71 minutes). The last execution was at 23:47 on the night before their resignation. This data, combined with SRUM network transfer records during the same window, established intentional and sustained use of the tool for data exfiltration.
Forensic Use Cases
1. Insider Threat — Proving Intentional Use
A departing employee denies using unauthorized file transfer software. UserAssist shows 31 launches of C:\Users\jdoe\Downloads\WinSCP-6.1.2-Portable\WinSCP.exe with 5,400 seconds (90 minutes) of focus time over a two-week period. The run count and focus time prove sustained, intentional use — not an accidental click.
2. Malware Execution Attribution
Multiple user accounts exist on a shared workstation. Shimcache and Prefetch confirm that a malicious executable ran, but they cannot identify which user launched it. UserAssist in each user’s NTUSER.DAT is checked: only the “jsmith” account has a UserAssist entry for the malware, proving that jsmith was the user who executed it through the GUI.
3. Prohibited Application Usage
Corporate policy prohibits Tor Browser. The user installs Tor, uses it, then deletes the entire Tor directory. UserAssist retains the entry for {F4E57C4B}...\Start Tor Browser.lnk (decoded from ROT-13) with a run count of 12 and a last-execution timestamp, proving repeated intentional use of the prohibited application even though no trace of it remains on disk.
4. Timeline Reconstruction
By extracting last-execution timestamps from all UserAssist entries across the incident window, investigators can reconstruct the exact sequence of programs the user launched. If the subject opened a document management system at 22:00, launched WinSCP at 22:05, and opened a cloud browser session at 22:12, UserAssist provides the timestamps to establish this sequence.
5. Establishing User Activity Patterns
UserAssist’s run counts reveal a user’s routine application usage. If a user normally runs Outlook (count: 412), Chrome (count: 890), and Excel (count: 245), but also has a single entry for procdump64.exe (count: 1) with 15 seconds of focus time, that anomalous entry stands out against the baseline of normal activity.
Acquisition Methods
NTUSER.DAT is locked while the user is logged in. On a live system, use Volume Shadow Copy, KAPE, or a raw-disk copy utility. If the user is logged off, the hive can be copied directly. Always collect from every user profile on the system, not just the suspect’s — other accounts may contain relevant UserAssist data.
Live System Collection
:: Export current user's hive via reg.exe reg save HKU\S-1-5-21-xxx-xxx-xxx-1001 C:\Evidence\NTUSER_jdoe.DAT /y :: KAPE: Collect all user NTUSER.DAT hives kape.exe --tsource C: --tdest C:\Evidence\KAPE_Output --target RegistryHives :: VSS approach for locked hives vssadmin create shadow /for=C: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Users\jdoe\NTUSER.DAT C:\Evidence\
Forensic Image Extraction
# Mount forensic image read-only mount -o ro,noexec,nodev /dev/sdb1 /mnt/evidence # Copy NTUSER.DAT for each user for user in /mnt/evidence/Users/*/; do uname=$(basename "$user") cp "$user/NTUSER.DAT" "/analysis/userassist/${uname}_NTUSER.DAT" 2>/dev/null done
Parsing Tools & Analysis
| Tool | Author | License | Output | Notes |
|---|---|---|---|---|
| Registry Explorer | Eric Zimmerman | Free | GUI + export | Automatic ROT-13 decode; visual inspection of all UserAssist entries |
| RECmd | Eric Zimmerman | Free | CSV | Command-line registry parser; batch UserAssist extraction with --bn UserAssist |
| RegRipper | Harlan Carvey | Open source (Perl) | Text | userassist plugin; fast, lightweight parsing |
| UserAssist.py | Didier Stevens | Open source (Python) | Text / CSV | Standalone Python script; no dependencies; cross-platform |
| Autopsy | Basis Technology | Open source | GUI | Built-in UserAssist parser module |
| Velociraptor | Rapid7 | Open source | JSON / CSV | Windows.Registry.UserAssist artifact; remote collection at scale |
Parsing with RECmd
:: Parse UserAssist from an offline NTUSER.DAT RECmd.exe -f C:\Evidence\NTUSER_jdoe.DAT --bn UserAssist --csv C:\Analysis\UserAssist_Output :: Batch parse all user hives in a directory RECmd.exe -d C:\Evidence\UserHives\ --bn UserAssist --csv C:\Analysis\All_UserAssist
Parsing with UserAssist.py (Didier Stevens)
# Parse NTUSER.DAT for UserAssist entries python UserAssist.py /analysis/userassist/jdoe_NTUSER.DAT # Output includes decoded paths, run counts, focus times, last execution
Analysis Script — High Focus Time Detection
# Identify programs with high focus time or anomalous run counts import pandas as pd import codecs df = pd.read_csv('/analysis/userassist/RECmd_UserAssist_Output.csv') # Filter for entries with significant focus time (>60 seconds) active_use = df[df['FocusTime'] > 60].copy() # Sort by focus time descending active_use = active_use.sort_values('FocusTime', ascending=False) # Convert focus time to human-readable minutes active_use['FocusMinutes'] = (active_use['FocusTime'] / 60).round(1) print(active_use[['ProgramName', 'RunCount', 'FocusMinutes', 'LastExecution']].head(15).to_string())
Sample Output
ProgramName RunCount FocusMinutes LastExecution
C:\Program Files\Google\Chrome\Application\chrome.exe 890 14220.5 2026-02-28 17:30:00
C:\Program Files\Microsoft Office\OUTLOOK.EXE 412 9840.2 2026-02-28 17:25:00
C:\Users\jdoe\Downloads\WinSCP-Portable\WinSCP.exe 31 90.0 2026-02-14 23:47:00
C:\Users\jdoe\Desktop\mimikatz.exe 1 0.3 2026-02-13 18:30:00
C:\Windows\System32\cmd.exe 8 12.4 2026-02-14 22:15:00
Chrome and Outlook show normal daily use patterns (high run count, high focus time). WinSCP shows 31 launches with 90 minutes of focus time ending the night before the employee’s resignation — consistent with sustained file transfer activity. mimikatz.exe shows a single launch with 0.3 minutes (18 seconds) of focus, suggesting it was run briefly and closed. cmd.exe with 8 launches and 12 minutes suggests command-line operations during the incident window.
Retention & Persistence
| Property | Detail |
|---|---|
| Retention period | Indefinite — entries persist until manually cleared or user profile deleted |
| Survives reboot | Yes — persists in NTUSER.DAT registry hive |
| Survives app uninstall | Yes — entries remain after the program is removed |
| Survives file deletion | Yes — entries reference the path, not the file itself |
| Update frequency | Real-time on each GUI program launch |
| Scope | Per-user — stored in each user’s NTUSER.DAT |
| Eviction | No automatic eviction; entries accumulate over time |
UserAssist entries are never automatically pruned by Windows. They accumulate indefinitely unless the user manually clears the registry key or the user profile is deleted. This means a user’s complete GUI application launch history can span months or years, providing an extensive behavioral baseline for anomaly detection.
Anti-Forensics Resilience
UserAssist is moderately resilient to anti-forensics. While it is not as hardened as system-level artifacts (SRUM, Shimcache), it benefits from being stored in a per-user registry hive that most cleanup tools do not target.
| Tool / Technique | Clears UserAssist? | Explanation |
|---|---|---|
| CCleaner | Partial | Some versions have a “Windows Explorer — Other” option that may clear UserAssist |
| BleachBit | No | No default module targets UserAssist registry keys |
| Eraser | No | File-deletion tool; does not modify registry values |
| Privacy Eraser | Possible | Some privacy tools specifically list UserAssist as a target |
| Registry Editor | Yes | Manual deletion of the Count subkey clears entries; detectable via registry transaction logs |
| User profile deletion | Yes | Deleting the user profile removes NTUSER.DAT entirely |
| Prefetch cleanup | No | Independent artifact subsystem |
UserAssist is more vulnerable to cleanup than system-level artifacts because sophisticated privacy tools may target it. However, the ROT-13 encoding creates a perception of complexity that deters manual cleanup by most users. In Mjolnir case history, fewer than 10% of subjects have successfully cleared UserAssist before the investigation — and when they do, the absence of UserAssist data (while other artifacts remain intact) is itself evidence of deliberate cleanup activity.
MITRE ATT&CK Detection Mapping
UserAssist data provides evidentiary support for detecting the following techniques:
| Technique | Name | UserAssist Evidence |
|---|---|---|
T1204 T1204 | User Execution | Direct evidence of user-initiated program launch with timestamp, run count, and focus time |
T1059 T1059 | Command and Scripting Interpreter | GUI-launched cmd.exe or powershell.exe entries with focus time indicating interactive use |
T1218 T1218 | System Binary Proxy Execution | Entries for mshta.exe, rundll32.exe, or msiexec.exe launched via GUI with unusual focus patterns |
Related Artifacts & Cross-Correlation
| Artifact | Relationship to UserAssist | Cross-Correlation Value |
|---|---|---|
| Shimcache | System-wide file existence proof | Shimcache proves the file existed; UserAssist proves which user launched it |
| Amcache | SHA-1 hash and publisher metadata | Amcache identifies the exact binary; UserAssist attributes the launch to a specific user |
| Prefetch | System-wide execution with DLL dependencies | Prefetch proves execution with loaded modules; UserAssist adds user attribution and focus time |
| BAM/DAM | Execution timestamps for background apps | BAM captures background execution; UserAssist captures foreground GUI usage with focus duration |
| SRUM.db | Network transfer data per application | SRUM shows network activity; UserAssist shows when and how long the user actively operated the tool |
| Security.evtx (4688) | Process creation with command-line arguments | Event 4688 provides command-line context; UserAssist confirms the launch was user-initiated via GUI |
References
- Didier Stevens, “UserAssist.py — UserAssist Registry Key Parser” — https://blog.didierstevens.com/programs/userassist/
- Eric Zimmerman, “Registry Explorer / RECmd” — https://ericzimmerman.github.io/
- SANS Institute, “UserAssist Forensics” — https://www.sans.org/blog/
- Harlan Carvey, “RegRipper — Windows Registry Forensics” — https://github.com/keydet89/RegRipper3.0
- 13Cubed, “UserAssist Analysis for DFIR” — https://www.13cubed.com/blog
- Microsoft, “Windows Shell Explorer Internals” — https://learn.microsoft.com
- ForensicArtifacts.com, “Windows UserAssist Definition” — https://github.com/ForensicArtifacts/artifacts
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in UserAssist analysis, insider threat investigations, and user-attributed execution evidence for litigation support.
mjolnirsecurity.com — 24/7: +1 833 403 5875