UserAssist
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\CountUserAssist tracks programs launched through the Windows GUI — Start Menu, Desktop and Explorer. It records a run count and the last execution timestamp for each item, ROT-13 encoded to obscure paths from casual inspection. This is one of the few artifacts that directly attributles execution to a human clicking something, not a background service.
Key Name
{ROT-13 encoded executable path} — REG_BINARY value containing run count and last execution timestamp (FILETIME)
Trace Type
Execution
Hive
NTUSER.DAT
Last Write Time
The key's Last Write Time reflects the most recent GUI launch of any item in that GUID bucket — correlate with the per-value timestamp for precise last-run attribution.
User Specific
Yes Lives entirely inside NTUSER.DAT. Data is unique to each user profile and cannot be created by background or SYSTEM processes.
Forensic Value
- Prove deliberate GUI execution: UserAssist entries are created only through interactive user sessions. Combine this with BAM records to confirm execution with high confidence.
- Quantify usage patterns: The run count distinguishes a one-time execution from habitual use — correlate these counts with Prefetch evidence for a more complete picture.
- Pin last-run timestamps: The embedded FILETIME value provides a precise last-execution time, which should be cross-referenced with MuiCache to track file path history.
For more Info check out these Articles: MuiCache, BAM, Prefetch