UserAssist — with a pinch of Salt — As an “Evidence of Execution”

imp hash
6 min readNov 2, 2020

--

Lately, I have been experimenting with UserAssist keys on my Windows 10 machine with an OS build 18362. I have seen some interesting observations that I would like to share with you guys.

There are 2 categories of observations.

Type 1 — A program/app is not executed on the system but still it appears under the UserAssist Key.
Type 2 — A program/app is executed on the system and it gets registered but with 0 Run Count (and blank “last executed” date in some cases)

We will start with Type 1 as it seems directly questioning the reliability of this artifact as an “Evidence of Execution” and then we will move to Type 2.

Observation 1: Execution gets recorded under UserAssist even if an app/program is not executed

While experimenting with UserAssist keys, I observed a really interesting thing where even if a program/app is not executed on the system; it still gets registered under a UserAssist key by mere opening the path to the shortcut of that specific program/app.

That means, if there is no entry for a specific program/app in the UserAssist key and I open just the path to the shortcut of that program ( and not the program itself) by right clicking on the app icon in the cortona search and clicking on “Open the File Location” option; a new entry will be added to one of the UserAssist keys — {CEBFF5CD-ACE2–4F4F-9178–9926F41749EA} with a Run Count 1 and last execution time populated as appropriately.

If there is already an entry in the UserAssist key for that specific program/app (because of previous executions) then Run Count is incremented by 1 with appropriate last execution time .

This is something completely weird behavior as this will raise doubt on reliability of this artifact as an “Evidence of Execution”.

To explain this behavior, let’s say, I have WinSCP.exe executed once on my system and as an evidence of execution, I found this under UserAssist Key — {CEBFF5CD-ACE2–4F4F-9178–9926F41749EA}.

Figure 1. WinSCP.exe details — Before

You can see here that the WinSCP.exe has been executed on 01/11/2020 at 8:29:24 UTC. The Run Count for the same is 1.

Now, let’s open the path to the WinSCP.exe by right clicking on the shortcut that appears on the Cortona Search and by just opening the path/location to this exe, it will increase the count of the execution (Run Count) in the UserAssist key.

Figure 2. Opening the path to the shortcut of WinSCP.exe through Cortona Search
Figure 3. Path to the shortcut of WinSCP.exe

After this, I have recaptured the NTUSER.DAT to observe the changes in UserAssist.

Figure 4. WinSCP.exe details — After

You can see here that, Run Count of WinSCP.exe has been incremented by 1 ( now Run Count is 2) and the “last execution time” is also updated to 02/11/2020 5:31:41 UTC which is when I opened the path to the shortcut of WinSCP.exe.

You can see here, WinSCP.exe was not run on the machine, we just opened the path to this exe and the Run Count and the execution time is updated under the UserAssist.

Secondly, now, I thought to open the path to the exe/program/app which has no entry at all in my UserAssist and see if by mere opening the path to that exe; we get a new entry in the UserAssist.

I did not have entry for mimikatz.exe in my UserAssist. Moreover, I had total 295 entries under {CEBFF5CD-ACE2–4F4F-9178–9926F41749EA}.

Figure 5. Total Entries (295) under {CEBFF5CD-XX} — Before

Then, I created a shortcut of mimikatz.exe and put it to the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs and then I follow the same method.

Figure 6. Opening the path to the shortcut of mimikatz.exe through Cortona Search

I did not run the mimikatz.exe I just opened the path where the shortcut of mimikatz.exe is residing.

Figure 7. Path to the shortcut of mimikatz.exe

I recaptured the NTUSER.DAT after this and voila!! I see the entry for mimikatz.exe with Run Count 1 with the last execution date.

Figure 7. mimikatz.exe gets registered even it was not executed

You can see the total entries also has been incremented by 1 (i.e. 296). You can see the entry for mimikatz.exe (original path to exe, not the shortcut) with a Run Count of 1 with the execution date. In reality, I have NOT run mimikatz.exe at all on my system.

This will clearly raise the question on the reliability of this artifact as an “Evidence of Execution”!!

Observation 2: Multiple applications with 0 Run Count and blank “last execution” field

While reviewing UserAssist keys, I came across number of entries with 0 (Zero) Run Count.

Now, that is a strange behavior. How come if a program executed and have a Zero Run Count OR in case, if it is not executed (which justifies 0 Run count) then how come it ended up in UserAsssit keys? Moreover, I observed quite a few entries within the subset of 0 Run Count have not “last execution date” logged.

Following is the summary of my UserAssist key — {CEBFF5CD-ACE2–4F4F-9178–9926F41749EA}

Figure 8. summary of my UserAssist key

As we can see, there are total 295 entries in the UserAssist key — {CEBFF5CD-ACE2–4F4F-9178–9926F41749EA}. Out of these 295 entries, 265 entries are with 0 (Zero) run count. The other observation is that out of 265 with 0 run count, 115 entries do not have the “last execution date” logged whereas 150 entries have them logged.

This behavior has been discussed by @David Cowen in one of his episodes of “Forensic Lunch” series. You can find the video here https://www.youtube.com/watch?v=xBJXHOmJnOM

I have read a research article by @Mathhew Seyer where it has been said that if the app is started automatically (by adding it to the Start Menu\Programs\Startup directory) without user’s manual intervention then it will show up in the UserAssist but the Run Count and Date will not be updated.

This may be true but there has to be other situations/reasons that generate the similar or exact footprints in to the UserAssist key. The reason why I am saying this is there is no apparent reason why 265 programs should have run without user’s intervention. Moreover, there are certain programs, in that list of 265, that I can certainly say that I executed those programs but still they are showing up with Run Count 0.

Figure 9. Snapshot of Programs with 0 Run Count and No dates

Please see the snapshot above of my UserAssist key. Certain entries do not have dates logged where as the programs like notepad.exe, calc.exe, autoruns.exe, livekd64.exe — all of them are executed by me manually multiple times in the past but still they show run count 0.

I have not dug much in to this deeper but this is definitely something strange behavior where the program has been executed but the Run Count is not incremented and Last Date/Time of Execution is not logged (in some cases).

I hope you enjoyed reading this article!! Please share your comments and feedback to me. My contact details are below or you can find me on LinkedIn.

That’s it for now, folks!! Happy hunting, fellas!!

by :
Kirtar Oza
Twitter : Krishna (@kirtar_oza)
LinkedIn: https://www.linkedin.com/in/kirtaroza/
email: kirtar.oza@gmail.com

--

--