What is the “UserAssist” Windows forensic artifact?

UserAssist is a component of the Windows Explorer graphical user interface (GUI) that tracks the applications and shortcut links a user has executed. This data is stored on a per-user basis within the individual’s registry hive, specifically located in the NTUSER.DAT file under Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist. A unique quirk of this artifact is that Windows obfuscates the names and paths of the executed files using a simple ROT13 substitution cipher—shifting alphabetical characters by 13 places (e.g., calc.exe becomes pnyo.rkr). Modern forensic tools automatically decode this on the fly to reveal the original executable paths.

For a DFIR investigator, UserAssist is a cornerstone artifact for supporting user attribution. Unlike system-wide execution artifacts (like Prefetch or AmCache) that primarily show a file was run on the machine, UserAssist is directly associated with a specific user’s profile. Each decoded entry provides not only the path of the application but also a historical “run count” and the timestamp of its last execution. Because it specifically logs programs launched via the Windows Explorer shell, it provides strong evidence that a user interactively double-clicked or launched a specific file, portable application, or malicious document.

Enterprise Forensic Applications

Because UserAssist closely links application execution to a specific user identity, it is a highly valuable artifact for Insider Risk and HR Investigations. TensorGuard can automatically decode UserAssist entries to help demonstrate that a departing employee’s account was used to launch a portable data exfiltration utility (like WinSCP or a standalone wiping tool) directly from an external USB drive. Furthermore, during Proactive Compromise Assessments, correlating UserAssist timestamps with other artifacts helps investigators assess whether an adversary was actively “driving” the keyboard via a compromised account or Remote Desktop (RDP) session to launch their payload.

Collecting, Decoding, and Viewing “UserAssist” with TensorGuard

1. Create a TensorGuard account and sign in to the TensorGuard console at https://app.tensorguard.com.
2. Select “Case Manager”, then the plus button to create a case. This will contain your enrolled devices, their reports, and any manually submitted collections.
3. Linked inside the case menu, download the TensorGuard Forensic Collector and run it on your target system.
4. In the console, click the plus button for “New Enrollment”, copy the enrollment key, and paste it into the TensorGuard Forensic Collector on your target device.
5. Now that you have a device enrolled, select the device(s), and click “Send Signal”. Answer the questions regarding what you want to look for in the analysis, any alerting on positive findings, and if the collection and analysis should be recurring.
6. Once the report is generated, you’ll have UserAssist delivered in the browser, alongside an executive summary and timeline of findings.