Source: GitHub Author: unknown URL: https://github.com/MHaggis/PowerShell-Hunter/tree/main/UserAssist
-
ONE SENTENCE SUMMARY: The UserAssist Registry Analyzer is a forensic PowerShell tool that extracts and decodes Windows UserAssist registry data to reveal user activity.
-
MAIN POINTS:
-
UserAssist keys track application execution, usage frequency, and timestamps for digital forensic investigations.
-
Located in the registry under HKEY_CURRENT_USER with specific GUIDs for different execution types.
-
Entries use ROT13 encoding and contain binary data like session ID, run count, and focus time.
-
Compatible with Windows 7 through 11, automatically handling version-specific structure differences.
-
No installation required; script runs with PowerShell 5.1+ and administrator privileges.
-
Outputs data in JSON, CSV, and HTML formats for flexibility in analysis and reporting.
-
Extracted data includes decoded application names, run frequency, and last execution timestamps.
-
Useful for reconstructing user timelines, detecting unusual behavior, and identifying anti-forensics attempts.
-
Integrates with other forensic tools like Prefetch, Event Logs, Jump Lists, and BAM/DAM data.
-
Part of the PowerShell-Hunter project, designed for defenders conducting Windows forensic analysis.
-
TAKEAWAYS:
-
UserAssist keys are crucial for proving and analyzing program execution on Windows systems.
-
The analyzer simplifies decoding ROT13-obfuscated registry entries into readable user activity data.
-
Data export options make it easy to visualize and correlate findings with other forensic artifacts.
-
Effective in uncovering tampering, hidden activity, or suspicious application usage.
-
Streamlines incident response and forensic workflows by automating registry data extraction and analysis.