GUI-based programs launched from the desktop are tracked in the launcher on a Windows system.
Key π: NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count.
βοΈAll values are ROT13 encoded.
List of progs and applets that can be quicly started from the Start menu for usability, the most often used items. Shows a focus count for each entry. It means, how many time was the window switched to (that doesn’t include the time when the program is first run). Shows the last time that the program was executed, focus time, run count.
At the start of each entry between {} is the code for a location within file system. Registry Explorer will substitute these automatically, since these GUIDs are predefined.
This what a full filled User Assist key looks like. {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} is for programs that were lauched using their image files directly. {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} is for those, started with a shortcut.
The structure is quite simple:
- At
0x04offset starts the number of executions (4 bytes). - At
0xCoffset starts the focus time (4 bytes) - At
0x3Coffset starts the Last Execution time (8 bytes), which is a Win64-bit little-endian value (for Decode π ).
β οΈ π I could not find this key on my Win10 VM.
β οΈ When the program was started via
lnkfile, the focus count will be0.
GUIDs to note:
GUID for XP
- 75048700 Active Desktop GUID for Win7-10
- CEBFF5CD Executable File Execution
- F4E57C4B Shortcut File Execution
Program Locations for Win7- 10 UserAssist
- ProgramFilesX64 6D809377-…
- ProgramFilesX86 7C5A40EF- . . .
- System 1AC14E77-…
- SystemX86 D65231BO-…
- Desktop B4BFCC3A-…
- Documents FDD39ADO-…
- Downloads 374DE290-…
- UserProfiles 0762D272-…