`userassist`#

$ target-query <path/to/target> -f userassist

Details#
Module	`os.windows.regf.userassist.UserAssistPlugin`
Output	`records`

Module documentation

UserAssist plugin.

Function documentation

Return the UserAssist information for each user.

The UserAssist registry keys contain information about programs that were recently executed on the system. Programs launch via the commandline are not registered within these registry keys.

References:

https://www.magnetforensics.com/blog/artifact-profile-userassist/
https://www.aldeid.com/wiki/Windows-userassist-keys

Yields UserAssistRecords with fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The entry timestamp. path (path): The entry path. number_of_executions (int): The number of executions for this entry. application_focus_count (int): The number of focus acount for this entry. application_focus_duration (int): The duration of focus for this entry.

userassist#

`userassist`#