05.02.06
XP Built-in monitoring feature
by Chetan Gupta, NII Consulting
Windows XP has a built-in feature - UserAssist, that acts as a monitoring tool and greatly aids in the forensic investigation of Windows operating systems. UserAssist records user access of specific objects on the system, such as executables, Control Panel applets, shortcut files, etc. This is stored in the registry under the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\UserAssist
This key contains two subkeys which closely resemble GUIDs (Globally unique identifiers). Each subkey contains another subkey called ‘count’. The count subkey contains the entries that contain the access records for various objects. However, these entries are ‘encrypted’ using an encryption algorithm known as ‘ROT-13′. The full path to the two keys is:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\UserAssist\
{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\UserAssist\
{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Encryption using ROT13
According to Wikipedia, ROT13 (”rotate by 13 places”, sometimes hyphenated ROT-13) is a simple Caesar cipher used for obscuring text by replacing each letter with the letter thirteen places down the alphabet. A becomes N, B becomes O, and so on up to M, which becomes Z, then the sequence reverses: N becomes A, O becomes B and so on to Z, which becomes M.
Decrypting Rot-13 encrypted entries
An online ROT13 decryption program is available at http://www.degraeve.com/rot13.php. You can also save the page and use the decryption feature offline.
How to decrypt the UserAssist entries?
- Open Regedit and then navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Explorer\UserAssist - Right click on ‘count’ subkey and export the contents to a .reg file
- Open the .reg file with an editor such as notepad and copy the contents
- Paste the contents in decryption program as mentioned above and you are done!
If there is a key that indicates a ‘tracks eraser’ program such as evidence eliminator was run, it definitely puts the user under suspicion as to why he wanted to erase the trails of his activity on the machine. A typical decrypted output would look something like this:
"UEME_RUNPATH:C:\\WINDOWS\\system32\\NOTEPAD.EXE"=urk:83,00,00,00,n2,02,00,00,\ 10,qo,77,02,rr,84,p6,01
"UEME_RUNPATH:C:\\PROGRA~1\\MOZILL~2\\THUNDE~1.EXE"=urk:80,00,00,00,9p,00,00,\ 00,60,q8,sr,48,30,82,p6,01
"UEME_RUNPIDL"=urk:83,00,00,00,10,08,00,00,80,62,44,9p,pp,84,p6,01
"UEME_RUNPIDL:::{2559A1F5-21D7-11D4-BDAF-00C04F60B9F0}"=urk:80,00,00,00,9p,00,\ 00,00,r0,s2,04,49,30,82,p6,01
"UEME_RUNPATH:C:\\WINDOWS\\System32\\cmd.exe"=urk:83,00,00,00,n2,00,00,00,50,\ n9,61,40,9n,84,p6,01
"UEME_UISCUT"=urk:83,00,00,00,p3,00,00,00,70,on,56,31,s1,84,p6,01
"UEME_RUNPATH:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=urk:83,00,00,00,1s,01,\ 00,00,70,on,56,31,s1,84,p6,01
"UEME_UIQCUT"=urk:83,00,00,00,pp,07,00,00,70,r9,69,30,s1,84,p6,01
"UEME_RUNPATH:WinTasks.lnk"=urk:02,00,00,00,07,00,00,00,q0,o0,ns,30,r3,02,p6,\ 01
"UEME_RUNPIDL:%csidl2%\\Evidence Eliminator"=urk:04,00,00,00,07,00,00,00,r0,os,\ sp,2p,n5,0s,p6,01
"UEME_RUNPATH:C:\\WINDOWS\\system32\\shell32.dll"=urk:82,00,00,00,47,00,00,00,\ 00,p0,26,q9,p1,83,p6,01
"UEME_RUNPATH:C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=urk:83,\ 00,00,00,30,00,00,00,90,03,45,60,7n,84,p6,01
As we can see that there is an entry which suggests that the user did run evidence eliminator on his system, he definitely owes an explanation to the investigator!
AuditPro™ - Comprehensive enterprise security assessment solution for critical asset identification, policy compliance, risk analysis, real time vulnerability views, graphical progress analysis and more.
Kush Wadhwa Said:
June 21, 2006 at 5:44 pm
Article was really good one. Good going!
Mahoney Said:
June 22, 2006 at 11:59 pm
Good find. Two questions:
1. What is UEME?
2. How do you read the numbers listed after it? They tell you when or how many time something is run?
I’m guessing this is used for determining what to put on the start menu section that shows the ‘most used’ programs. Why did MS obscure it? If it’s important it seems it would need stronger protection.
Peter Fellini Said:
June 23, 2006 at 3:17 pm
The HKEY was cut off in the document, what is the actual HKEY path.
Thnks
Chetan Gupta Said:
June 23, 2006 at 8:03 pm
Thanks Mr Felini for pointing it out. I have updated the article and added the full path of the two keys.
Mr Mahoney, you have raised excellent points! An update to this article is on the line which would talk about co-relating prefetch logs with userassist keys, getting the timestamp values out of the links and some more advanced features such as disabling encryption and logging automatically. It will also include some tools such as UserAssistSpy which specifically deal with this feature! I hope that artcile would answers all your queries!
Thanks for the valuable feedback!
Chetan
Pete Yevchak Said:
July 4, 2006 at 1:52 pm
I’ve looked at both those keys in the registry here and there is NO “count” sub-key on either. Am i doing something wrong? Pete
keydet89 Said:
July 12, 2006 at 11:04 am
Something interesting to add to this…many of the UserAssist entries have data associated with the values. Where the data is 16 bytes (ie, 4 DWORD values) long, and something other than zeros, the second DWORD value is the “run count” (MS allegedly starts incrementing at 5, though I haven’t seen any official MS documentation to that effect). The last two DWORDS are the “last run time”, a FILETIME object showing when the PIDL was last accessed.
I use Technology Pathways’ ProDiscover product for forensic analysis of Windows systems, and wrote a ProScript that will not only un-Rot-13 the info for me, but show the timestamp values, as well as list them in sorted order (for timeline analysis).
H. Carvey
http://windowsir.blogspot.com
keydet89 Said:
July 13, 2006 at 11:49 am
> 1. What is UEME?
No clue. However, for an explanation of pointers to ID lists, or PIDLs, check this out:
http://www.codeproject.com/shell/namespcextguide1.asp
> 2. How do you read the numbers listed after it? They tell you when or how
> many time something is run?
I haven’t seen any references regarding the content of the first DWORD. The second DWORD allegedly holds the run count, with the count starting at 5 (0×05). The last two DWORDs hold the FILETIME object for the time that the app was last run.
Hope that helps,
Harlan
http://windowsir.blogspot.com
Chetan Said:
July 14, 2006 at 11:15 am
Hey pete,
The correct path to the keys is
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
hope it works now!
chetan
Checkmate » UserAssist Revisited! - e-zine on Digital Forensics and Incident Response Said:
July 16, 2006 at 9:54 am
[…] In my previous article on Userassist, I had mentioned how UserAssist records user access of specific objects on the system and how it would greatly aid forensic investigations. Although, I had shown how to decrypt the keys, the important thing that was missing was how to interpret the 16 bytes of data associated with the entries. (Thanks to Harlan Carvey for providing his valuable inputs on this.) […]
Kush Wadhwa Said:
June 1, 2007 at 1:45 pm
Hello Guys,
I have finally found what UEME is?
All the link files and executable files will be preceded by UEME_RUNPATH. When a program is run, its path is encoded and recorded as the value name. Because this key is tracking the frequency and recency of programs and othe accesses, it stands to reason that we should find that information in the data portion of this value.
Same case is for other UEME. They also stand for particular application.