Key This value is {5E6AB780-7743-11CF-A12B00AA004AE837} or {75048700-EF1F-11D09888-006097DEACF9} These are the keys found under the UserAssist registry key, and they are included in the table to distinguish the entries.
notepad, then the session ID for the notepad entry will be 123. Counter This is the number of times the program was executed (a 4 byte integer). Last
Index
Name
This is the last time the program was executed (an 8 byte datetime). Watch out for time zone differences when importing a REG file from a system with different regional settings. It is important to understand that there is only one entry per executed program: e.g., if notepad is executed twice, there will only be one entry in the table with Counter equal to 2 and Last equal to date and time notepad was last executed.
The name of the value registry entry. This references the program that was run. This key is ROT13 encrypted, the displayed name is decrypted.
The result of executing these commands: Notepad.exe Calc.exe Notepad.exe
There is a registry setting to prevent encryption of the log, but the UserAssist utility does not support this setting.
is this table: "UEME_RUNPATH:C:\Windows\system32\cal c.exe","","146","1","3/01/2007 21:02:33" "UEME_RUNPATH:C:\Windows\system32\not epad.exe","","146","2","3/01/2007 21:02:40"
This is a running counter, indicating the sequence of values in the registry. At first, the entries are listed in the sequence they appear in the registry. You can sort columns by clicking on the header. To revert to the original sequence, sort the column Index and then the column Key
ROT13, also know as the Caesar cipher, is a very simple encryption scheme where each letter is replaced with the letter thirteen places down the alphabet. A becomes N, B becomes O, and so on‌ For example, UEME_RUNPATH becomes HRZR_EHACNGU. I do not know why Microsoft decided to encrypt the UserAssist registry entries with such a simple scheme.
You can save the table as a CSV file. This file can be imported in a spreadsheet program like Excel for further analysis or for inclusion in the forensic analysis report. To save the report, launch Commands / Save and type the name of the CSV file. Name entries
Unknown A 4 byte integer, meaning unknown. It appears to be present only for session entries (UEME_CTLSESSION). Session This is the ID of the session (a 4 byte integer). When an entry is created in the UserAssist registry keys, the session is set equal to the session of the UEME_CTLSESSION entry. For example, assume the session ID of UEME_CTLSESSION is 123, and you launch
www.insecuremag.com
The key Names always start with UEME_. Examples are: UEME_CTLSESSION: session key. This appears to increase with 1 each day you use the computer. I think the 4 first bytes of the binary data (column Unknown) are also a timestamp, but of another format which I've still to understand (it appears to count in units of 53.69 seconds). UEME_RUNCPL: an entry created when the control panel is opened. It can be followed by a string to indicate which applet of the control panel was opened, like this entry for the Power Options applet: 75