Anti-Forensics – Delete UserAssist History

Windows Explorer maintains a list of frequently programs executed and shortcuts opened on a Windows machine in the UserAssist registry entries. This is achieved by maintaining a count of application use and last execution date and time in each users NTUSER.DAT registry file.

UserAssist registry key :

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Under UserAssist key there are two subkeys named,

{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} and {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}

if you use Windows 7.

To delete UserAssist history, you have to delete the two subkeys Count that you will find under {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} and {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} respectively.

 

%d bloggers like this: