reg-user-assists

Retrieves UserAssist registry data from an NTUSER registry hive file. UserAssist records information such as the run count, focus time, and last execution time of programs run by the user in Windows Explorer.

Command properties

ItemDescription
Command typeDriver query
Required permissionNone
License usageLicensed command
Parallel executionNot supported
Distributed executionRuns on Data Node (mapper)

Syntax

reg-user-assists [zipcharset=STR] [zippath=STR] FILE_PATH

Options

zipcharset=STR
Character encoding for ZIP entry names. Use a Preferred MIME Name or Alias registered in the IANA Character Sets registry. (default: utf-8)
zippath=STR
ZIP file path. When specified, queries registry hive files inside the ZIP archive.

Target

FILE_PATH
NTUSER registry hive file path. Use a wildcard (*) to query all files matching the pattern at once.

Output fields

FieldTypeDescription
_filestringRegistry hive file name
keystringProgram path or name. Decoded from ROT13; known GUIDs are converted to their actual paths.
session_numintegerSession number
exec_countintegerRun count. On versions before Windows Vista, the value is the internal counter minus 5.
focus_timeintegerFocus time in milliseconds. Available only on Windows Vista and later.
last_executiontimestampLast execution time
last_writtentimestampLast write time of the registry key

Error codes

Parse errors

N/A

Runtime errors

N/A

Description

The reg-user-assists command reads the Count values under the Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist key in an NTUSER registry hive file and parses UserAssist entries. Data is collected from the following GUID paths:

  • {75048700-EF1F-11D0-9888-006097DEACF9} — Active Desktop
  • {5E6AB780-7743-11CF-A12B-00AA004AE837} — Internet Explorer toolbar
  • {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} — Executable tracking
  • {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} — Shortcut tracking

UserAssist registry value names are ROT13-encoded and the command automatically decodes them. Known Windows GUIDs (e.g., {374DE290-123F-4565-9164-39C4925E467B}) are also converted to their actual folder paths (e.g., %USERPROFILE%\Downloads).

On Windows Vista and later, a record format of 72 bytes or more is used, and the focus_time field is additionally provided. On earlier versions, an internal offset of 5 is subtracted from the run count to return the actual count.

In digital forensics, UserAssist analysis is used to identify programs the user ran, the frequency of execution, and the last execution time.

Examples

  1. Retrieving UserAssist data from an NTUSER hive file

    reg-user-assists D:\evidence\NTUSER.DAT

    Retrieves program execution history from the specified NTUSER registry hive file.

  2. Querying an NTUSER hive file inside a ZIP archive

    reg-user-assists zippath=D:\evidence\registry.zip NTUSER.DAT

    Retrieves program execution history from an NTUSER registry hive file inside a ZIP archive.

  3. Sorting by last execution time

    reg-user-assists D:\evidence\NTUSER.DAT
| sort -last_execution

    Sorts program execution history in descending order by last execution time, showing the most recently run programs first.

  4. Retrieving programs with a high run count

    reg-user-assists D:\evidence\NTUSER.DAT
| search exec_count > 10
| sort -exec_count

    Filters programs with a run count exceeding 10 and sorts them in descending order by run count.

  5. Querying multiple files with a wildcard

    reg-user-assists D:\evidence\*\NTUSER.DAT

    Retrieves program execution history from all NTUSER hive files matching the wildcard pattern.