- Hkey_current_user Software Microsoft Windows Currentversion Explorer Stuckrects3
- Hkey_current_user Software Microsoft Windows Currentversion Explorer Desktop Namespace
- Hkey_current_user Software Microsoft Windows Currentversion Explorer Fileexts
A Quick Glance At The UserAssist Key in Windows
Posted by William Diaz on February 6, 2012
I recently found myself needing to examine a workstation in an attempt to determine what had taken place on it before it started to act up. I was curious what programs were run or what objects were accessed. All kinds of data is spread across the registry, but a good place to look when you want to forensically gather what was happening within the context of a user session is to look in HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist. Within UserAssist, you will find a few {GUID} keys that each have a corresponding Count key:
These GUID are common across the same platform. In XP:
- {0D6D4F41-2994-4BA0-8FEF-620E43CD2812} – A key that seems to be specific to IE7
- {5E6AB780-7743-11CF-A12B-00AA004AE837} – IE Favorites and other IE toolbar objects
- {75048700-EF1F-11D0-9888-006097DEACF9} – A list of applications, files, links, and other objects that have been accessed.
In Vista and Windows 7:
- May 02, 2017.
- Mar 01, 2017.
- HKEYCURRENTUSER Software Microsoft Windows CurrentVersion Policies Explorer; 'NoResolveTrack'=dword:00000001;Don't hide any local Drives; 'NoDrives'=dword:00000000;Don't add '-Shortcut' text to the name of newly created shortcuts.; HKEYCURRENTUSER SOFTWARE Microsoft Windows CurrentVersion Explorer; 'link'=hex:00,00,00,00;or.
Hkey_current_user Software Microsoft Windows Currentversion Explorer Stuckrects3
- {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} – A list of applications, files, links, and other objects that have been accessed.
- {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} – Lists the shortcut links used to start progams
Now, before you head off to examine all the goodies in here, there is one minor caveat: the data in these keys is obfuscated by default:
This is not a major hurdle, though, as the encryption method here is rather simple ROT13. What that means is that each alphabetic character is offset 13 places forward:
Now, before you get excited and wonder why Microsoft is so lax when it comes to encryption, you should know that the idea here is not to really prevent this data from being deciphered. I'm entirely sure why, but it seems Microsoft may not have wanted this portion of the registry accessible to searches or modified by the 'average' user.
HKEYCURRENTUSER Software Microsoft Windows CurrentVersion RunOnce By default, the value of a RunOnce key is deleted before the command line is run. You can prefix a RunOnce value name with an exclamation point (!) to defer deletion of the value until after the command runs.
To simply the task of decrypting this data, there are several online tools available for which you paste the string(s) of data and have it converted. Alternatively, a very useful utility that can be run locally is UserAssist, which besides looking in HKCU can also read exported reg files and ntuser.dat. This would be more useful since you can order the values chronologically. NirSoft also has a good tool for viewing these keys. For example, here is the recent output captured on a Windows XP lab pc I regularly work on, sorted by most recent date:
You can see the last action where I clicked on Start, indicated by UEME_RUNPATH and the GUID {90110409-6000-8CFE-0150048383C9}, and from here then launched Word, and before that where I ran UserAssist.exe from the desktop, RegScanner, regedit, Excel, etc…
Some other things worth noting:
- The encryption mechanism can be turned off or logging disabled altogether. In Windows XP, to disable ROT13 encryption in the UserAssist key, create a new DWORD in this key and name it NoEncrypt and assign a value of 1. To disable logging in the UserAssist key, create a new DWORD in this key and name it NoLog and assign a value of 1.
- Alternatively, to disable logging in Vista/WIndows 7, right-click the Taskbar > go to Properties > Start Menu and under Privacy uncheck both options.
- In Vista and Windows 7, it seems like less data is gathered in the UserAssist key. Whereas XP contains many more UEME types, Vista and Windows 7 contain only a handful.
- Since the UserAssist key resides in ntuser.dat, you can load an offline copy. Alternatively, the live remote key key can be accessed from HKU.
- Impress your friends by telling them you can read ROT26 encryption on the fly, unassisted.
One of the best features of Windows 10 is the Task View, which you can use to create virtual desktops. These desktops are a great way to distribute and organize the windows of your open applications. You can press Win+Tab (hold down the Windows key and press Tab) to see them in the Task View.
However, one feature not provided by Microsoft is the ability to instantly switch to a specific virtual desktop with a keyboard shortcut. For instance, if you are on Desktop 2 and you want to switch to Desktop 6, you have to hold down Win+Ctrl and press the Right Arrow four times. Reset usb drive mac. It would be much easier to have a shortcut that automatically switches to desktop number 6, regardless of which desktop you're using.
This tutorial shows you how to create keyboard shortcuts to switch directly to any virtual desktop by number. We'll accomplish this using the free Windows utility, AutoHotkey.
Creating the script
- The installer exits, and a new text file opens in Notepad. The file will be our script. (A script is a plain text file that contains a series of commands to be run by another program, in this case AutoHotkey.)
The script on this page is based on Windows Desktop Switcher, an open source script hosted on GitHub at github.com/pmb6tz/windows-desktop-switcher.
- Copy and paste the following script into your Notepad document:
- Save the file.
- This script, AutoHotkey.ahk, is located in your Documents folder. Open a new File Explorer window (keyboard: Win+E) and go to Documents.
- Run the script by double-clicking on the file. You won't see anything happen, but AutoHotkey is now running the script.
How does it work?
The script works by keeping track of which virtual desktop you're currently using. Kcncrew pack 2015 11 15 download free. Holding down the Windows key and pressing a number between 1 and 9 automatically switches left or right the correct number of times to get to the desired desktop. (If you press the number of a desktop that doesn't exist yet, nothing will happen.)
Testing your new hotkeys
To test it out, first create a new virtual desktop. To do this, click the Task View icon on your Taskbar (or press Win+Tab), then click + New Desktop. Or, use the keyboard shortcut Win+Ctrl+D.
Do this once for each new virtual desktop you'd like to create. Each additional desktop will be oriented to the right of the previous.
Now, you can switch to any of these desktops using the keyboard shortcuts defined in the script. Hold down Win and press a number between 1 and 9, and you will automatically switch to that numbered desktop. For instance, press Win+3 to switch to the third virtual desktop from the left.
Stopping the script
To stop using the script, go to your system tray and right-click the AutoHotkey icon, which looks like a big green 'H' to bring up the AutoHotkey Windows Notification menu.
NoteIf you don't see the icon, use the caret ^ button to show hidden icons.
In this menu, you can Suspend Hotkeys, Pause Script, or Exit AutoHotkey entirely. Any of these actions return your hotkeys to normal.
Running your script automatically when Windows starts
To run the script automatically every time you start Windows, move the script into your Startup folder.
Cleanmydrive 2 1 4 – clean and eject external drives. In Windows 10, the Startup folder is located at:
This folder is normally hidden, so you can only get to it in the File Explorer if you select View → View Hidden Files at the top of the Explorer window.
However, you also can access the Startup folder directly by entering the full directory path in the Run box. Press Win+R to open the Run box, then type the full directory path. You can use the environment variable %APPDATA% to automatically fill in the beginning of the path name. For instance, you can type this into the Run box:
When you press Enter, that folder opens in a new File Explorer window.
Now move your script to this folder. If you still have your Documents folder open in another window, drag-and-drop AutoHotkey.ahk into the Startup folder.
If you decide that you don't want to run the script automatically every time you start Windows, open this folder again and move the script somewhere else. You can always run it manually by double-clicking it, no matter where it is on your computer.
Additional notes
This script overrides the default Windows shortcuts for Win+(Number), which normally open up items on your taskbar (Win+1 opens the first item, etc). However, some built-in Windows applications such as Settings or Store ignore AutoHotkey's script. If you're on one of these windows when trying hotkeys, it uses the Windows hotkey behavior, and opens something from your Taskbar instead of a new desktop. Another thing to keep in mind is that AutoHotkey is actually switching left and right between your virtual desktops, quickly, one by one. If it bumps into a virtual desktop where one of these special applications is open, it'll stop switching and stay on that desktop.
Unfortunately, the default Windows shortcuts cannot be disabled, which is inconvenient, but unless you have one of these application windows open, the AutoHotkey script works fine. You'll find that the script works perfectly with 95% of your other programs.
However, if you prefer, you can edit your AutoHotkey script to use a different key combination.
Editing your AutoHotkey script
Open Notepad (Start → Windows Accessories → Notepad).
In Notepad, open the AutoHotkey file. If you already have the Startup folder open, you can drag-and-drop the icon onto the Notepad window to open the file.
Or, you can open it by going to File → Open in Notepad and entering the file name %APPDATA%MicrosoftWindowsStart MenuProgramsStartupAutoHotkey.ahk.
When the file is open, you can make changes to the script to suit your needs. For instance, if you would prefer to use the hotkey combination CapsLock+(Number), look for these lines in the script: St michael barbados zip code.
In these lines, change LWin to CapsLock:
https://vtcyp.over-blog.com/2021/01/backgrounds-6-0.html. Save your changes, and double-click the script to update it in AutoHotkey. If you made any mistakes in your script, AutoHotkey will not run it, and give you an error message. Otherwise, it will ask you if you want to update the script that is already running:
Choose Yes to make your new changes take effect.
If you have an idea for a different hotkey combination, you can change it to any hotkey combination that is not already in use.
Picking a key combination
AutoHotkey has its own special words and characters that it uses for representing keyboard keys in its scripts. For instance, the Ctrl key is represented by an exclamation mark. To use Ctrl+(Number) as your hotkey combination, you could change 'CapsLock &' to '!' in your script. Then the lines would look like this:
Notice that when you use a symbol rather than a word, you shouldn't use ' & ' in the script syntax. This rule is one of the special rules AutoHotkey uses in its scripting language.
You can find a complete list of all the special words and symbols for AutoHotkey scripts at autohotkey.com/docs/KeyList.htm.