Sign in to follow this  
Followers 0
GregThompson

UserAssist Reg Key...

5 posts in this topic

OK, so Didier Stevens has a cool little program that decrypts the UserAssist hive for the current user, and ports it into a nifty little GUI. He doesn't have command-line support at this time though, and that's what I need. His program is located here. http://didierstevens.wordpress.com/programs/userassist/

Does anyone know of a way to decrpyt the UserAssist key, which is in ROT13, and port it to a csv file, or something like that? Or maybe some way to run his script, and execute the save option all hidden from a logged on user?

Share this post


Link to post
Share on other sites



Why on earth would you want to run a monitoring program without the user having knowledge?

:) Sounds iffy to me....

Share this post


Link to post
Share on other sites

Why on earth would you want to run a monitoring program without the user having knowledge?

:) Sounds iffy to me....

The company I work for is getting hit with licensing fee's for Reflections software that is installed on several thousand machines. So, because we don't know exactly who is using the program and who isn't, we came up with this idea to determine how often the program is being run on every machine company-wide. If the date of the last use is not within the last 30 days, we'll automatically uninstall the software from the machine.

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

The company I work for is getting hit with licensing fee's for Reflections software that is installed on several thousand machines. So, because we don't know exactly who is using the program and who isn't, we came up with this idea to determine how often the program is being run on every machine company-wide. If the date of the last use is not within the last 30 days, we'll automatically uninstall the software from the machine.

But what you are decrypting is user specific, not machine specific... :)

1. You could just check the 'Last Accessed' date on the Reflections executable

2. You could configure Auditing on the executable

3. You could make the executable accessible by a shortcut that performed some logging before running it.

4. Etc., etc...

There are so many easy ways to achieve that without cracking anything -- I think Paulie is right to be a little suspicious.

:P

Edit: ROT-13 is more like 'encoding' than encrypting, so 'cracking' is probably too strong a term for this.

Edited by PsaltyDS

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

I agree with you guys that this is a hugely complicated way to go about getting some paltry data, but I'm not the guy that came up with the idea. PSalty, I like yours about the exe's last accessed, I'm going to recommend that instead.

The other issue with the UserAssist is what you stated, that it's user specific, and we'd have to open/parse the HKEY_USER hives to make sure the machines that have multiple users are included, and that gets SO much more complicated.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0