I'm a little late to say this but firstly Happy Christmas to my readers out there. I've been fortunate enough to have a little time off but still find myself working the Christmas / New Year period. I hope some of you have more time off and can catch up on some of those tasks you've been avoiding.
For today we're moving onto the new category which I think everybody will find of interest which is Program Execution. There have been a huge number of posts on these artifacts and just how valuable they can be. Once again we'll attempt to create a few of the artifacts in different ways and see how that results when using our tools.
I still haven't forgotten about the artifacts we've missed so far and I'm currently working on some posts to cover those so that I have a complete series.
UserAssist
Description:
GUI-based programs launched from the desktop are tracked in the launcher on a Windows System.
Location: NTUSER.DAT HIVE
NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count
Interpretation:
All values are ROT-13 Encoded
- GUID for XP
- 75048700 Active Desktop
- GUID for Win7
- CEBFF5CD Executable File Execution
- F4E57C4B Shortcut File Execution
- Program Locations for Win7 Userassist
- ProgramFilesX64 6D809377-…
- ProgramFilesX86 7C5A40EF-…
- System 1AC14E77-…
- SystemX86 D65231B0-…
- Desktop B4BFCC3A-…
- Documents FDD39AD0-…
- Downloads 374DE290-…
- UserProfiles 0762D272-…
Within each of the Count keys listed a number of values which as mentioned above are ROT13 encoded. To the human eye they don't make much sense but once we decode them we'll easily see what the values mean. To give you a feel for what the values look like compared to the decoded values see the following output. I have just grabbed some sample values from my own computer where the first value is the ROT13 value and the second value is the decoded value.
{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rUbzr\rufuryy.rkr
{F38BF404-1D43-42F2-9305-67DE0B28FC23}\eHome\ehshell.exe
{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\Zvpebfbsg.ARG\Senzrjbex64\i2.0.50727\qj20.rkr
{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\Zvpebfbsg.ARG\Senzrjbex64\i2.0.50727\ErtNfz.rkr
{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe
HRZR_PGYFRFFVBA
UEME_CTLSESSION
HRZR_PGYPHNPbhag:pgbe
UEME_CTLCUACount:ctor
IZjner.Jbexfgngvba.izhv
VMware.Workstation.vmui
JvaMvcPbzchgvat.JvaMvc64
WinZipComputing.WinZip64
P:\Cebtenz Svyrf (k86)\Zbmvyyn Sversbk\bzav.wn
C:\Program Files (x86)\Mozilla Firefox\omni.ja
You get the picture of what we are dealing with and as mentioned above these are just a few samples of what I have in mine. You'll notice that there are a number of values with UEME prefixing a word. These can also add context to how an applications may have been run. I've attempted to find a full list of each of these for both Windows 7 and Windows XP however I've only been able to find bits and pieces. The following list is taken from Didier Stevens blog at the following location (here).
In Windows 7 they've significantly reduced the amount as you can see below in the comparison. Many of the following are self explanatory and I won't be going into each for this particular tutorial.
Windows 7
UEME_RUNPATH
UEME_CTLCUACount:ctor
UEME_CTLSESSION
UEME_RUNPIDL
UEME_RUN
XP DLL (version 6.00.2900.3157):
UEME_CTLCUACount:ctor
UEME_CTLSESSION
UEME_DBSLEEP
UEME_DBTRACE
UEME_DBTRACEA
UEME_DBTRACEW
UEME_DONECANCEL
UEME_DONEFAIL
UEME_DONEOK
UEME_ERROR
UEME_ERRORA
UEME_ERRORW
UEME_INSTRBROWSER
UEME_RUN
UEME_RUNCPLA
UEME_RUNCPLW
UEME_RUNINVOKE
UEME_RUNOLECMD
UEME_RUNPATHA
UEME_RUNPATHW
UEME_RUNPIDL
UEME_RUNWMCMD
UEME_UIHOTKEY
UEME_UIMENU
UEME_UIQCUT
UEME_UISCUT
UEME_UITOOLBAR
UEME_USER
So lets try to generate some of our own values and see how that shows within the output of RegRipper. To get started I began by running 'procexp.exe' from the system internals suite. I picked this application because it was GUI based and it would be easy for me to copy it to different locations on my computer. I'd then once again use a combination of HoboCopy (to rip my active registry hive) and RegRipper to rip the userassist registry key and examine the contents. I ran procexp.exe in four different places which were Desktop, root of my username folder, Documents and finally from within the x64 Program Files location.
I ran the following command for HoboCopy
HoboCopy.exe c:\Users\username c:\tmp\ ntuser.dat
Then the following for RegRipper
rip.exe -r c:\tmp\ntuser.dat -p userassist2 > c:\tmp\userassist.txt
The above commands produced the following output
Thu Dec 27 07:31:20 2012 Z
{6D809377-6AF0-444B-8957-A3773F02200E}\procexp.exe (1)
Thu Dec 27 07:30:57 2012 Z
C:\Users\username\Documents\procexp.exe (1)
Thu Dec 27 07:30:37 2012 Z
C:\Users\username\procexp.exe (1)
Thu Dec 27 07:30:11 2012 Z
C:\Users\username\Desktop\procexp.exe (1)
As you can see from above most of them make sense apart from the one where we ran from within our x64 Program Files. I grabbed the code highlighted in red and Googled the code. I found the following Microsoft site which explained each of the codes.
http://msdn.microsoft.com/en-us/library/bb882665.aspx
If you don't want to use the list I've posted above you can also do a find from within regedit and that will also find the code.
I decoded some of the values that I had listed in my output and placed them in the categories identified in the Microsoft article
System
1AC14E77-02E7-4E5D-B744-2EB1AE5198B7
{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\NOTEPAD.EXE (19)
{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe (5)
Windows
F38BF404-1D43-42F2-9305-67DE0B28FC23
{F38BF404-1D43-42F2-9305-67DE0B28FC23}\regedit.exe (1)
ProgramFilesX86
7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E
{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Notepad++\notepad++.exe (1)
{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office12\OUTLOOK.EXE (11)
Hopefully I've explained the artifact and you can take a better understanding away. This artifact has had countless articles written about it and the importance to your investigations. If you're not reviewing it then you should get started with it and make sure its part of all your investigations.
Below are some key references that I've found while researching this artifact and you might find some value.
[1] http://ad-pdf.s3.amazonaws.com/UserAssist%20Registry%20Key%209-8-08.pdf
[2] http://www.eptuners.com/forensics/contents/A_Forensic_Examination_of_the_Windows_Registry_DETAILED.pdf
[3] http://blog.didierstevens.com/programs/userassist/
[4] http://windowsir.blogspot.com.au/2007/09/more-on-userassist-keys.html
[5] http://msdn.microsoft.com/en-us/library/bb882665.aspx
[6] http://blog.didierstevens.com/2006/08/04/update-userassist-utility/
[7] http://blog.didierstevens.com/category/reverse-engineering/page/2/
Within the current distribution of RegRipper plugins, all you need to use is the userassist.pl plugin...
ReplyDeleteThanks Harlan, yes the version of RegRipper used above was not the latest distribution.
Delete