No run counts in UserAssist

I feel like a college student again! I missed the deadline to submit my answer for David Cowen’s HECF Sunday Funday challenge. However, I found some interesting stuff doing this and still want to post my answer anyways because I think it can benefit the community and I wrote a new tool because of it!

First of all, the good stuff. Where to find the tool?

forensicmatt/MonitorUserAssist

Here’s the rest:

The Challenge

In Windows 10 what behavior appears to determine if a program will show up in the UserAssist entries with 0 run count versus actually tracking a run count and last execution date.

Methodology

In order to see what is happening in the Registry, and specifically, the UserAssist keys, it would be helpful to have a script that displays the current values and monitors the registry for changes and parses out the UserAssist data in real-time. Once the UserAssist values can be monitored, activity can be correlated.

The Tool

This tool used for this testing will be located at https://github.com/forensicmatt/MonitorUserAssist.

The Answer

After much testing I finally found behavior that can consistently reproduce running a program and both the run count and last execution time not recorded. Its quite simple, a program that runs without user interaction appears to not have its run time and execution time tracked. This makes since when you think about the name “UserAssist”. Below are two methods I found to run a program without having its run count and last execution recorded.

Method 1 — Startup

By adding a program to the Start Menu\Programs\Startup folder, we can have a tool launched at startup which will appear in the UserAssist but without run count and execution date.

In the Journal section under Hypothesis #2 you can see this method.

Method 2 — Scheduled Task

By creating a scheduled task to run a program we can have a tool launched at startup which will appear in the UserAssist but without run count and execution date.

In the Journal section under Hypothesis #3 you can see this method.

Journal

Its hard to record and make meaningful all the different attempts at testing behavior, but this section explains some.

After creating a tool for UserAssist Monitoring, we run said tool.

python usrasst_mon.py — format “[{record.timestamp} {record.guid}] last_execution: {record.last_execution} run_count: {record.run_count} focus_count: {record.focus_count} focus_time: {record.focus_time} name: {record.value_decoded_name}”

The tool will first display all current results:

Programs with 0 Run Counts

Once the current values are displayed, the tool then begins monitoring for changes made to UserAssist keys. The first thing noticed is that there are lots of “*!App” entries that have run counts of 0 (though execution date does appear to be tracked.) Let’s run Sticky Notes and see if it updates run_count.

Running Sticky Notes

UserAssist from StickyNotes

This shows that even launching StickyNotes from Cortana, the run_count is not updated. However, being an !App is not a condition to disable run_count and last_execution tracking. We see that there are Apps that do update run times.

Cortana UserAssist

This also brings up another interesting point. Every time Windows tab is opened, the Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI is always ran; Which also always has a run_count of 0. Unlike Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe!App, the last_execution is not tracked either.

Hypothesis #1

Let’s look for a process that is already running, (not been started by the user).

DropboxUpdate UserAssist

I have never actually run the DropboxUpdate.exe directly, but it is launched at startup and runs in the background.

DropboxUpdate in background

My hypothesis is that we can run this tool by its lnk file, and we will see a run_count for the lnk file, but not for the exe it starts. The problem is that there is no lnk file in the startup folder.

No Dropbox Update lnk

So, I cannot simply search for Dropbox Update and run it via the lnk. I want to try and simulate this by creating a lnk file to it in the “Startup Menu/Probrams/Dropbox” folder.

DropboxUpdate Lnk

Now I can run it from the Cortana search.

Running DropboxUpdate

Let’s see if it updates the run_count for DropboxUpdate.exe

Run count for Dropbox Update

Unfortunately, that did update the run count, however, I still think that when an exe is launched outside the user scope, the run_counts won’t get updated. In this case, its possible that DropboxUpdate.exe is running an additional instance when executed.

Hypothesis #2

I create an exe “D:\Testing\ThisToolHasNoRunCount.exe”. I then am going to create a link for this tool so it runs at startup. I have not previously executed this tool. I expect to see it in the UserAssist, but with no tracking. To do this, I will create a link file that points to the tool in the Startup directory: “C:\Users\matth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”.

Startup Lnk

Now lets restart!

After restart, we run our tool again to see current userassist values:

Run count for ThisToolHasNoRunCount.exe

It worked! The tool got ran, but no run_count and no last_execution recorded!

This tells me, that a possible reason is that when an app or executable is run outside of the users’ interaction, its run count and execution do not get recorded! This makes sense because it’s called “UserAssist”.

What are other ways we can run a tool without the users’ interactions?

Hypothesis #3

Let’s try a scheduled task!

We create a new exe for this test (ThisScheduledToolHasNoRunCount.exe):

New EXE

Create task program

Set Task Time

At 1:18 the tool was ran. This also worked!

Run count for ThisScheduledToolHasNoRunCount.exe