In Windows 7 Registry, "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count", there are 72 binary bytes value, but only there are 16 binary bytes value in XP, and i known the last 8 bytes mean the date that the shortcut clicked. I have researched the 72 bytes in Windows 7, seem 61 - 68 byte save the shortcut clicked date, but i can not convert the bytes to right date.
Hello,
Theres an analysis of win7 Userassist registry keys by Didier Stevens in his forensic magazine. Heres a link to that issue.
http://go2.wordpress.com/?id=725X134...s-issue-0x0%2F
Stevens has also released a tool that can analyze the structure of these keys for you (its a beta. Google for the final version).
http://didierstevens.com/files/softw...aunchParty.zip
Hi yxq,
I was reading about user assist yesterday. There is a new key format for Vista, Server 2008, Win7 etc. The second article goes into this in detail.
Enjoy
http://documents.sirlopu.com/documents/carvey.pdf
http://intotheboxes.files.wordpress....es_2010_q1.pdf
@Bill2 - Thanks, I'll take a look at your articles too.
Quote