Didier Stevens has released the latest iteration of his incredibly handy tool UserAssist. This tool, in a nutshell, displays a table of all of the programs executed on a windows machine. This also includes the “running count and last execution date and time”. This requires .Net 2.0 framework to be installed in order to run. A very handy application.

From his blog:

I’m releasing version 2.3.0 of my UserAssist tool with these new features:

* saved CSV files have a header.
* entries are highlighted in red when they match a user-specified search term (which can be a regular expression). This is my answer to the persons asking for a search feature. As I didn’t want to bother with a Find Next function, I decided to implement a highlight feature.
* the Save command also supports HTML.
* support for the IE7 UserAssist GUID key {0D6D4F41-2994-4BA0-8FEF-620E43CD2812}
* registry hive files (usually called NTUSER.DAT files) can be loaded directly with the tool. The tool will load the DAT file temporarily in the registry, read the UserAssistkeys and unload the file. This feature is experimental, because I didn’t write the code yet for all the exceptions (invalid NTUSER.DAT file, no access rights to the file, no rights to load the file, failure to unload the file, …).

Other requests, like a command-line option, will be investigated.I’m also researching special values of the count property, for example when a program is removed from the start menu list.

Be sure to add his RSS feed into your reader of choice. It’s a great read. To download the tool head over to his site.

Article Link

[tags]Didier Stevens, UserAssist, UserAssist V2.3.0, Forensics[/tags]

Leave a Reply

Your email address will not be published. Required fields are marked *