;;Author: Kostic Dejan ;;Date: 07.04.2006 Gui, Add, ListView, vLst w700 h500 altsubmit, Path|Name|Data Loop,HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\count { RegRead, rval LV_Add("","{5E6AB780-7743-11CF-A12B-00AA004AE837}",a_loopregname,rval) } Loop,HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\count { RegRead, rsv LV_Add("","{75048700-EF1F-11D0-9888-006097DEACF9}",a_loopregname,rsv) } Gui,add,button,gdec,&Decrypt Gui, Show LV_ModifyCol(1,"100") LV_ModifyCol(2,"485") LV_ModifyCol(3,"100") return dec: SetBatchLines,-1 LV_Delete() SplashImage,,b1 c1,,Decrypting`nPlease wait... Loop,HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\count { RegRead, rval d2:=StringMod(a_loopregname,26-13) LV_Add("","{5E6AB780-7743-11CF-A12B-00AA004AE837}",d2,rval) } Loop,HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\count { RegRead, rsv d3:=StringMod(a_loopregname,26-13) LV_Add("","{75048700-EF1F-11D0-9888-006097DEACF9}",d3,rsv) } SplashImage,off return StringMod(_string, _chars="") ;made by PhiLho, adapted by me { Loop Parse, _string { char := Asc(A_LoopField) o := Asc("A") * (Asc("A") <= char && char <= Asc("Z")) + Asc("a") * (Asc("a") <= char && char <= Asc("z")) If (o > 0) { char := Mod(char - o + _chars, 26) char := Chr(char + o) } Else { char := A_LoopField } rStr := rStr char } Return rStr } GuiClose: ExitAppImprovements are always welcome.
Decrypt 'UserAssist' registry entries
Started by
dinkosta
, Apr 07 2006 08:30 PM
12 replies to this topic
Some people are suspicious of the 'UserAssist' entries in the registry, mostly because they are encrypted. Here's a small script that will decrypt those entries:
#1
-
Posted 07 April 2006 - 08:30 PM
Cool! Now I see them decrypted..., but what do they mean? In what order? Could you give us a pointer, where these are explained?
#2
-
Posted 07 April 2006 - 09:22 PM
Well, here are two links that deal with those entries:
http://www.utdallas....plorer_spy.html and http://personal-comp...3/v29/vic29.htm.
I'm no expert about these things, but I saw some articles and posts talking about those entries so I thought it would be nice to have them decrypted.
The decrypted entries appear inside the ListView in a different order compared to their order inside the registry, but I don't know why.
http://www.utdallas....plorer_spy.html and http://personal-comp...3/v29/vic29.htm.
I'm no expert about these things, but I saw some articles and posts talking about those entries so I thought it would be nice to have them decrypted.
The decrypted entries appear inside the ListView in a different order compared to their order inside the registry, but I don't know why.
#3
-
Posted 07 April 2006 - 10:39 PM
The decrypted entries appear inside the ListView in a different order compared to their order inside the registry, but I don't know why.
This might be in part due to the way registry loops work:
The values and subkeys are retrieved in reverse order (bottom to top) so that RegDelete can be used inside the loop without disrupting the loop.
Perhaps your script could include the options to delete the count keys (Windows recreates these at startup), and also toggle/turn off logging and ROT13 encryption:
; Microsoft Internet Toolbar regdelete, HKCU , Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\count ; ActiveDesktop regdelete, HKCU , Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\count ; Disable logging and encryption regwrite, REG_DWORD, HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\Settings, NoLog, 1 regwrite, REG_DWORD, HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\Settings, NoEncrypt, 1
#5
-
Posted 08 April 2006 - 03:36 PM
"Anything worth doing is worth doing slowly." - Mae West
Thank you for your feedback, robiandi and Serenity.
@Serenity
That are nice suggestions, thanks.
@Serenity
That are nice suggestions, thanks.
#6
-
Posted 08 April 2006 - 08:09 PM
I don't do scripting, so I can't say why, but the script gives an error here:
Path:\UserAssist.js
Line: 2
Char: 18
Error: Expected ';'
Code: 800A03EC
Source: Microsoft JScript compilation error
I used the "Copy" link here and pasted into Notepad with a .js extension.
I also tried the .vbs and .wsf extensions and they gave errors also.
What type of script (what extension) is this supposed to be saved as. I realise the regulars here would know this, but as this forum is easily available through a web search, it would be helpful if you gave such elementary details. :-)
...glen
Path:
Line: 2
Char: 18
Error: Expected ';'
Code: 800A03EC
Source: Microsoft JScript compilation error
I used the "Copy" link here and pasted into Notepad with a .js extension.
I also tried the .vbs and .wsf extensions and they gave errors also.
What type of script (what extension) is this supposed to be saved as. I realise the regulars here would know this, but as this forum is easily available through a web search, it would be helpful if you gave such elementary details. :-)
...glen
#8
-
Posted 25 February 2007 - 04:38 PM
#9
-
Posted 26 February 2007 - 11:24 AM
[For Those who want to know]
ROT13, the encrypting sequence Windows uses. Is the most basic type, you simply change each letter to the one 13 ahead in the alphabet (looping around if necessary).
so, ROT13 in ROT13 (Not counting the numbers) Would be EBG13.
------------------------------------------------------------------------------
-Wikipedia Article
-Online ROT13 Translator
ROT13, the encrypting sequence Windows uses. Is the most basic type, you simply change each letter to the one 13 ahead in the alphabet (looping around if necessary).
so, ROT13 in ROT13 (Not counting the numbers) Would be EBG13.
------------------------------------------------------------------------------
-Wikipedia Article
-Online ROT13 Translator
#10
-
Posted 13 December 2007 - 12:13 AM
Still... how do u decode value? Whats the value data? What does it stand for?
#11
-
Posted 17 April 2010 - 02:16 PM
Still... how do u decode value? Whats the value data? What does it stand for?
The value data is HEX so you just need to convert to DEC for numbers and to BIN for ASCII characters.
This program makes it for you: http://www.nirsoft.n...ssist_view.html
#12
-
Posted 25 March 2011 - 10:37 PM