Thursday, January 10, 2019

Daily Blog #593: Forensic Lunch Test Kitchen 1/10/19 Windows 10 Userassist

Hello Reader,
         Tonight I changed the course of our testing in a slight detour, ok maybe a hard right, over to Windows 10 because I remembered an artifact that has been bugging me. The UserAssist artifact that has been a friend of mine since 2002 (I wrote about it in 2004 in the first hacking exposed computer forensics) seems to have had a change in behavior starting in Windows 8. Suddenly we had values showing up in the UserAssist with a run count of 0 and no last execution time. So to remedy this I decided to start some testing and here is what we learned:

  • Running a Modern app will update the run count and the execution time
  • Running a desktop app will update the run count and the execution time
  • The focus count is still unreliable
  • The focus time is still unreliable
  • Rebooting does not zero out the values in the UserAssist keys
  • Some entries in the UserAssist CEBFF guid specifically appear to not get updated as other versions of the same program do (process hacker in this example)
  • Some things don't get updated run counts or execution times, so far Microsoft Edge and Cortana appear to behave that way
More testing is needed so we can determine what is effecting the expected behavior.

You can watch the video here:

No comments:

Post a Comment