Loads information such as "the list of programs recently executed, the last run time, and the execution count" stored in the registry file. Using the loaded data, you can check the name and list of recently executed applications and use the time and number of recently executed applications for analysis.


reg-user-assists [zipcharset=CHARSET] [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameter
Path to the registry file. Using a wildcard (*) in the file name, you can retrieve all files containing a specific string pattern in the file name (e.g. D:\data\registry\*). If you provided the zippath option, input the registry file path in the ZIP file.
Optional Parameter
Character set to be used to decode the ZIP entry name and comment that are not encoded by UTF-8 encoding. Use the preferred MIME name or aliases registered in the following document:
Path to the ZIP file


The output fields are as follows:

keyStringExecutable file path
session_numIntegerSession number
exec_countIntegerNumber of times of execution
focus_timeIntegerTime activated
last_executionDateLast run time
last_writtenDateLast written time


  1. Retrieve information by providing the file path.

    reg-user-assists D:\data\registry\NTUSER.DAT
  2. Retrieve information when the zippath option is provided.

    reg-user-assists zippath=D:\data\ registry\NTUSER.DAT