Source: GitHub
Author: unknown
URL: https://github.com/MHaggis/PowerShell-Hunter/tree/main/UserAssist
# ONE SENTENCE SUMMARY:
The UserAssist Registry Analyzer is a forensic PowerShell tool that extracts and decodes Windows UserAssist registry data to reveal user activity.
# MAIN POINTS:
1. UserAssist keys track application execution, usage frequency, and timestamps for digital forensic investigations.
2. Located in the registry under HKEY_CURRENT_USER with specific GUIDs for different execution types.
3. Entries use ROT13 encoding and contain binary data like session ID, run count, and focus time.
4. Compatible with Windows 7 through 11, automatically handling version-specific structure differences.
5. No installation required; script runs with PowerShell 5.1+ and administrator privileges.
6. Outputs data in JSON, CSV, and HTML formats for flexibility in analysis and reporting.
7. Extracted data includes decoded application names, run frequency, and last execution timestamps.
8. Useful for reconstructing user timelines, detecting unusual behavior, and identifying anti-forensics attempts.
9. Integrates with other forensic tools like Prefetch, Event Logs, Jump Lists, and BAM/DAM data.
10. Part of the PowerShell-Hunter project, designed for defenders conducting Windows forensic analysis.
# TAKEAWAYS:
1. UserAssist keys are crucial for proving and analyzing program execution on Windows systems.
2. The analyzer simplifies decoding ROT13-obfuscated registry entries into readable user activity data.
3. Data export options make it easy to visualize and correlate findings with other forensic artifacts.
4. Effective in uncovering tampering, hidden activity, or suspicious application usage.
5. Streamlines incident response and forensic workflows by automating registry data extraction and analysis.