- Hkey Current User File Location
- Hkey Current User Location
- Hkey_current_user Software Microsoft Windows Currentversion Explorer Accent
A Quick Glance At The UserAssist Key in Windows
Hkey Current User File Location
I recently found myself needing to examine a workstation in an attempt to determine what had taken place on it before it started to act up. Best astrology software free full version in hindi. I was curious what programs were run or what objects were accessed. All kinds of data is spread across the registry, but a good place to look when you want to forensically gather what was happening within the context of a user session is to look in HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist. Within UserAssist, you will find a few {GUID} keys that each have a corresponding Count key:
These GUID are common across the same platform. In XP:
- {0D6D4F41-2994-4BA0-8FEF-620E43CD2812} – A key that seems to be specific to IE7
- {5E6AB780-7743-11CF-A12B-00AA004AE837} – IE Favorites and other IE toolbar objects
- {75048700-EF1F-11D0-9888-006097DEACF9} – A list of applications, files, links, and other objects that have been accessed.
Hkey Current User Location
In Vista and Windows 7:
- {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} – A list of applications, files, links, and other objects that have been accessed.
- {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} – Lists the shortcut links used to start progams
Hkey_current_user Software Microsoft Windows Currentversion Explorer Accent
Windows publisher. Now, before you head off to examine all the goodies in here, there is one minor caveat: the data in these keys is obfuscated by default:
This is not a major hurdle, though, as the encryption method here is rather simple ROT13. What that means is that each alphabetic character is offset 13 places forward:
Now, before you get excited and wonder why Microsoft is so lax when it comes to encryption, you should know that the idea here is not to really prevent this data from being deciphered. I’m entirely sure why, but it seems Microsoft may not have wanted this portion of the registry accessible to searches or modified by the “average” user.
To simply the task of decrypting this data, there are several online tools available for which you paste the string(s) of data and have it converted. Alternatively, a very useful utility that can be run locally is UserAssist, which besides looking in HKCU can also read exported reg files and ntuser.dat. This would be more useful since you can order the values chronologically. NirSoft also has a good tool for viewing these keys. For example, here is the recent output captured on a Windows XP lab pc I regularly work on, sorted by most recent date:
You can see the last action where I clicked on Start, indicated by UEME_RUNPATH and the GUID {90110409-6000-8CFE-0150048383C9}, and from here then launched Word, and before that where I ran UserAssist.exe from the desktop, RegScanner, regedit, Excel, etc…
Some other things worth noting:
- The encryption mechanism can be turned off or logging disabled altogether. In Windows XP, to disable ROT13 encryption in the UserAssist key, create a new DWORD in this key and name it NoEncrypt and assign a value of 1. To disable logging in the UserAssist key, create a new DWORD in this key and name it NoLog and assign a value of 1.
- Alternatively, to disable logging in Vista/WIndows 7, right-click the Taskbar > go to Properties > Start Menu and under Privacy uncheck both options.
- In Vista and Windows 7, it seems like less data is gathered in the UserAssist key. Whereas XP contains many more UEME types, Vista and Windows 7 contain only a handful.
- Since the UserAssist key resides in ntuser.dat, you can load an offline copy. Alternatively, the live remote key key can be accessed from HKU.
- Impress your friends by telling them you can read ROT26 encryption on the fly, unassisted.
- This topic has 2 replies, 2 voices, and was last updated 3 years, 4 months ago byMatt.
- Hello,When you open the task manager in Windows 10 you have a tab that says startup. You can select any of those programs and disable or enable depending on the current state. How can this be done with powershell?Thank you in advance for any help on this!Matt
- You can use PowerShell to modify the associated registry keys. Have a look at the help for the registry provider
Get-Help about_providers
Get-Help registryIf you compare the entries in Task Manager with the output from SysInternals Autoruns then Task Manager is displaying programs from the following locations:HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRun
C:UsersAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup
HKCUSoftwareMicrosoftWindowsCurrentVersionRunI guess there may be more locations depending on your exact configuration but the above is true for my machine.Autoruns enables and disables startup programs by deleting and adding the registry keys (note: I have an old version, this behaviour may have changed).However, Task Manager doesn’t remove the registry entries, it actually modifies registry entries in the following locations:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRunEach program, listed in Task Manager, has an entry. It looks like a value of 02 00 00 00 00 00 00 00 00 00 00 00 is enabled and anything else is disabled. I’ve only experimented briefly though and had to close/open Task Manager to see it change from enabled to disabled.# example 1 list programsget-item hkcu:softwaremicrosoftwindowscurrentversionexplorerstartupapprovedrun# example 2 view values for a programget-itemproperty hkcu:softwaremicrosoftwindowscurrentversionexplorerstartupapprovedrun -name f.lux# example 3 disable a programset-itemproperty hkcu:softwaremicrosoftwindowscurrentversionexplorerstartupapprovedrun -name f.lux -value ([byte[]](0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))# example 4 enable a programset-itemproperty hkcu:softwaremicrosoftwindowscurrentversionexplorerstartupapprovedrun -name f.lux -value ([byte[]](0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))246810get-itemhkcu:softwaremicrosoftwindowscurrentversionexplorerstartupapprovedrun# example 2 view values for a programget-itempropertyhkcu:softwaremicrosoftwindowscurrentversionexplorerstartupapprovedrun-namef.lux# example 3 disable a programset-itempropertyhkcu:softwaremicrosoftwindowscurrentversionexplorerstartupapprovedrun-namef.lux-value([byte[]](0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))# example 4 enable a programset-itempropertyhkcu:softwaremicrosoftwindowscurrentversionexplorerstartupapprovedrun-namef.lux-value([byte[]](0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- posts
- the topic ‘enable/disable startup programs in windows 10’ is closed to new replies.