Anti-Forensics, Privacy

Delete UserAssist History – Anti-forensics

Windows system maintain a set of keys in the registry database to keep track of programs that executed. The number of executions and last execution date and time are available in these keys. UserAssist is a method used to populate a user’s start menu with frequently used applications.

The information within the binary UserAssist values contains only statistical data on the applications launched by the user via Windows Explorer. Programs launched via the command­line do not appear in these registry keys.

From a forensics perspective, being able to decode this information can be very useful.

Userassist registry keys are saved in following locations:

GUID for Windows 7

Sources: aldeid, forensicartifacts

To read UserAssist registry keys data you can use UserAssistView application from Nirsoft.

To empty these registry keys:
> Create a new .reg file
> Paste the following:

Windows Registry Editor Version 5.00

>Double click reg file to execute it.