 |
AutoHotkey Community
Let's help each other out
|
| View previous topic :: View next topic |
| Author |
Message |
dinkosta
Joined: 28 Sep 2005
Posts: 37
Location: Pirot
|
 Posted: Fri Apr 07, 2006 9:30 pm Post subject: Decrypt 'UserAssist' registry entries |
 |
|
Some people are suspicious of the 'UserAssist' entries in the registry, mostly because they are encrypted. Here's a small script that will decrypt those entries: | Code: |
;;Author: Kostic Dejan
;;Date: 07.04.2006
Gui, Add, ListView, vLst w700 h500 altsubmit, Path|Name|Data
Loop,HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\count
{
RegRead, rval
LV_Add("","{5E6AB780-7743-11CF-A12B-00AA004AE837}",a_loopregname,rval)
}
Loop,HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\count
{
RegRead, rsv
LV_Add("","{75048700-EF1F-11D0-9888-006097DEACF9}",a_loopregname,rsv)
}
Gui,add,button,gdec,&Decrypt
Gui, Show
LV_ModifyCol(1,"100")
LV_ModifyCol(2,"485")
LV_ModifyCol(3,"100")
return
dec:
SetBatchLines,-1
LV_Delete()
SplashImage,,b1 c1,,Decrypting`nPlease wait...
Loop,HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\count
{
RegRead, rval
d2:=StringMod(a_loopregname,26-13)
LV_Add("","{5E6AB780-7743-11CF-A12B-00AA004AE837}",d2,rval)
}
Loop,HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\count
{
RegRead, rsv
d3:=StringMod(a_loopregname,26-13)
LV_Add("","{75048700-EF1F-11D0-9888-006097DEACF9}",d3,rsv)
}
SplashImage,off
return
StringMod(_string, _chars="") ;made by PhiLho, adapted by me
{
Loop Parse, _string
{
char := Asc(A_LoopField)
o := Asc("A") * (Asc("A") <= char && char <= Asc("Z")) + Asc("a") * (Asc("a") <= char && char <= Asc("z"))
If (o > 0)
{
char := Mod(char - o + _chars, 26)
char := Chr(char + o)
}
Else
{
char := A_LoopField
}
rStr := rStr char
}
Return rStr
}
GuiClose:
ExitApp
|
Improvements are always welcome.
Last edited by dinkosta on Sat Apr 08, 2006 12:08 am; edited 1 time in total |
|
| Back to top |
|
 |
Laszlo
Joined: 14 Feb 2005
Posts: 4016
Location: Pittsburgh
|
| Posted: Fri Apr 07, 2006 10:22 pm Post subject: |
|
|
| Cool! Now I see them decrypted..., but what do they mean? In what order? Could you give us a pointer, where these are explained? |
|
| Back to top |
|
|
dinkosta
Joined: 28 Sep 2005
Posts: 37
Location: Pirot
|
|
| Back to top |
|
|
robiandi
Guest
|
| Posted: Sat Apr 08, 2006 2:53 am Post subject: |
|
|
| The links are very helpful, thanks. |
|
| Back to top |
|
|
Serenity
Joined: 08 Nov 2004
Posts: 1017
|
| Posted: Sat Apr 08, 2006 4:36 pm Post subject: |
|
|
| dinkosta wrote: | | The decrypted entries appear inside the ListView in a different order compared to their order inside the registry, but I don't know why. |
This might be in part due to the way registry loops work:
| Quote: | | The values and subkeys are retrieved in reverse order (bottom to top) so that RegDelete can be used inside the loop without disrupting the loop. |
Perhaps your script could include the options to delete the count keys (Windows recreates these at startup), and also toggle/turn off logging and ROT13 encryption:
| Code: | ; Microsoft Internet Toolbar
regdelete, HKCU
, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\count
; ActiveDesktop
regdelete, HKCU
, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\count
; Disable logging and encryption
regwrite, REG_DWORD, HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\Settings, NoLog, 1
regwrite, REG_DWORD, HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\Settings, NoEncrypt, 1 |
_________________
"Anything worth doing is worth doing slowly." - Mae West
 |
|
| Back to top |
|
|
dinkosta
Joined: 28 Sep 2005
Posts: 37
Location: Pirot
|
| Posted: Sat Apr 08, 2006 9:09 pm Post subject: |
|
|
Thank you for your feedback, robiandi and Serenity.
@Serenity
That are nice suggestions, thanks. |
|
| Back to top |
|
|
hackalot
Guest
|
| Posted: Wed Oct 18, 2006 3:49 am Post subject: But what is in the 16bits of data? |
|
|
| The value... how do we decode the value? |
|
| Back to top |
|
|
glen
Guest
|
| Posted: Sun Feb 25, 2007 5:38 pm Post subject: |
|
|
I don't do scripting, so I can't say why, but the script gives an error here:
Path: <path>\UserAssist.js
Line: 2
Char: 18
Error: Expected ';'
Code: 800A03EC
Source: Microsoft JScript compilation error
I used the "Copy" link here and pasted into Notepad with a .js extension.
I also tried the .vbs and .wsf extensions and they gave errors also.
What type of script (what extension) is this supposed to be saved as. I realise the regulars here would know this, but as this forum is easily available through a web search, it would be helpful if you gave such elementary details. 
...glen |
|
| Back to top |
|
|
Duh
Guest
|
| Posted: Mon Feb 26, 2007 12:24 pm Post subject: |
|
|
In case your still trying to run it with wscript, its an ahk script.
See the homepage.
 |
|
| Back to top |
|
|
QuestionMark
Guest
|
| Posted: Thu Dec 13, 2007 1:13 am Post subject: Encryption |
|
|
[For Those who want to know]
ROT13, the encrypting sequence Windows uses. Is the most basic type, you simply change each letter to the one 13 ahead in the alphabet (looping around if necessary).
so, ROT13 in ROT13 (Not counting the numbers) Would be EBG13.
------------------------------------------------------------------------------
-Wikipedia Article
-Online ROT13 Translator |
|
| Back to top |
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
