Disabling UserAssist in Registry

UserAssist registry forensics is a method used to investigate the activity of users on a Windows operating system. It focuses on analyzing the UserAssist key in the Windows Registry, which contains information about the programs that a user has run on their computer.

Think of it as a kind of digital footprint left behind by users. Every time someone runs an application or program on a Windows system, an entry is created in the UserAssist key. These entries include details such as the name of the program, how many times it was run, and when it was last accessed.

Forensic analysts can use this information to reconstruct a timeline of user activity, identify frequently used applications, and gain insights into the behavior of individuals on a particular system. It’s a valuable tool for investigating incidents, such as unauthorized access or suspicious behavior, and can provide crucial evidence in digital forensic investigations.

The linked anti-forensics application utilizes access to the Windows registry to enable or disable the UserAssist application logging.

Download Source Code

user_deassist.py Github Download

This program will allow you to enable or disable UserAssist tracking on Windows 10+. The –delete option will let you delete current UserAssist registry keys.

The target OS will need to be rebooted. I haven’t tested other methods.

python .\user_deassist.py --delete  
python .\user_deassist.py --enable
python .\user_deassist.py --disable

python .\user_deassist.py --enum
The enum switch will determine what the registry values (that enable/disable UserAssist) are currently set to.

Creating a Windows Executable

  1. Install PyCharm: If you haven’t already, download and install PyCharm from the JetBrains website.
  2. Install PyInstaller: Open PyCharm and create or open your Python project. Then, navigate to File > Settings > Project: Your_Project_Name > Python Interpreter. Here, you can see the list of installed packages. Click on the “+” button to install a new package, search for “PyInstaller”, and click “Install Package” to install it.
  3. Open your Python script: In PyCharm, open the Python script that you want to convert into an executable.
  4. Open Terminal: You can open the terminal in PyCharm by going to View > Tool Windows > Terminal.
  5. Navigate to your project directory: Use the cd command in the terminal to navigate to the directory where your Python script is located. For example:
  6. cd path/to/your/project/directory
  7. Run PyInstaller: Once you’re in the correct directory, you can run PyInstaller with the following command:
  8. pyinstaller --onefile your_script_name.py Replace your_script_name.py with the name of your Python script.
  9. Wait for the process to finish: PyInstaller will analyze your script and its dependencies, and then create a dist folder in your project directory containing the executable file.
  10. Find the executable: Once PyInstaller has finished running, you can find your standalone executable in the dist folder within your project directory.

That’s it!

Other Reading

This analysis by imphash is useful in understanding how the UserAssist works:

UserAssist — with a pinch of Salt — As an “Evidence of Execution”


Please enter your comment!
Please enter your name here

- Advertisement -spot_img

Latest article