Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

Decrypt 'UserAssist' registry entries


  • Please log in to reply
12 replies to this topic
dinkosta
  • Members
  • 39 posts
  • Last active: Dec 19 2008 07:25 PM
  • Joined: 28 Sep 2005
Some people are suspicious of the 'UserAssist' entries in the registry, mostly because they are encrypted. Here's a small script that will decrypt those entries:
;;Author: Kostic Dejan
;;Date: 07.04.2006

Gui, Add, ListView, vLst w700 h500 altsubmit, Path|Name|Data
 Loop,HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\count
  {
   RegRead, rval
   LV_Add("","{5E6AB780-7743-11CF-A12B-00AA004AE837}",a_loopregname,rval)
  }
 Loop,HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\count
  {
   RegRead, rsv
   LV_Add("","{75048700-EF1F-11D0-9888-006097DEACF9}",a_loopregname,rsv)
  }
Gui,add,button,gdec,&Decrypt
Gui, Show
LV_ModifyCol(1,"100")
LV_ModifyCol(2,"485")
LV_ModifyCol(3,"100")
return 

dec:
SetBatchLines,-1
LV_Delete()
SplashImage,,b1 c1,,Decrypting`nPlease wait...
 Loop,HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\count
  {
   RegRead, rval
   d2:=StringMod(a_loopregname,26-13)
   LV_Add("","{5E6AB780-7743-11CF-A12B-00AA004AE837}",d2,rval)
  }
 Loop,HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\count
  {
   RegRead, rsv
   d3:=StringMod(a_loopregname,26-13)
   LV_Add("","{75048700-EF1F-11D0-9888-006097DEACF9}",d3,rsv)
  }
SplashImage,off
return 

StringMod(_string, _chars="")     ;made by PhiLho, adapted by me
 { 
   Loop Parse, _string 
   { 
         char := Asc(A_LoopField) 
         o := Asc("A") * (Asc("A") <= char && char <= Asc("Z")) + Asc("a") * (Asc("a") <= char && char <= Asc("z")) 
         If (o > 0) 
         { 
            char := Mod(char - o + _chars, 26) 
            char := Chr(char + o) 
         } 
         Else 
         { 
            char := A_LoopField 
         } 
         rStr := rStr char 
      } 
   Return rStr 
} 

GuiClose:
ExitApp
Improvements are always welcome.

Laszlo
  • Moderators
  • 4713 posts
  • Last active: Mar 31 2012 03:17 AM
  • Joined: 14 Feb 2005
Cool! Now I see them decrypted..., but what do they mean? In what order? Could you give us a pointer, where these are explained?

dinkosta
  • Members
  • 39 posts
  • Last active: Dec 19 2008 07:25 PM
  • Joined: 28 Sep 2005
Well, here are two links that deal with those entries:
http://www.utdallas....plorer_spy.html and http://personal-comp...3/v29/vic29.htm.
I'm no expert about these things, but I saw some articles and posts talking about those entries so I thought it would be nice to have them decrypted.
The decrypted entries appear inside the ListView in a different order compared to their order inside the registry, but I don't know why.

robiandi
  • Guests
  • Last active:
  • Joined: --
The links are very helpful, thanks.

Serenity
  • Members
  • 1271 posts
  • Last active:
  • Joined: 07 Nov 2004

The decrypted entries appear inside the ListView in a different order compared to their order inside the registry, but I don't know why.


This might be in part due to the way registry loops work:

The values and subkeys are retrieved in reverse order (bottom to top) so that RegDelete can be used inside the loop without disrupting the loop.


Perhaps your script could include the options to delete the count keys (Windows recreates these at startup), and also toggle/turn off logging and ROT13 encryption:

; Microsoft Internet Toolbar
regdelete, HKCU
, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\count

; ActiveDesktop
regdelete, HKCU
, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\count

; Disable logging and encryption
regwrite, REG_DWORD, HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\Settings, NoLog, 1
regwrite, REG_DWORD, HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\Settings, NoEncrypt, 1

"Anything worth doing is worth doing slowly." - Mae West
Posted Image

dinkosta
  • Members
  • 39 posts
  • Last active: Dec 19 2008 07:25 PM
  • Joined: 28 Sep 2005
Thank you for your feedback, robiandi and Serenity.
@Serenity
That are nice suggestions, thanks.

hackalot
  • Guests
  • Last active:
  • Joined: --
The value... how do we decode the value?

glen
  • Guests
  • Last active:
  • Joined: --
I don't do scripting, so I can't say why, but the script gives an error here:

Path: \UserAssist.js
Line: 2
Char: 18
Error: Expected ';'
Code: 800A03EC
Source: Microsoft JScript compilation error

I used the "Copy" link here and pasted into Notepad with a .js extension.
I also tried the .vbs and .wsf extensions and they gave errors also.

What type of script (what extension) is this supposed to be saved as. I realise the regulars here would know this, but as this forum is easily available through a web search, it would be helpful if you gave such elementary details. :-)

...glen

Duh
  • Guests
  • Last active:
  • Joined: --
In case your still trying to run it with wscript, its an ahk script.
See the homepage.
:lol:

QuestionMark
  • Guests
  • Last active:
  • Joined: --
[For Those who want to know]
ROT13, the encrypting sequence Windows uses. Is the most basic type, you simply change each letter to the one 13 ahead in the alphabet (looping around if necessary).
so, ROT13 in ROT13 (Not counting the numbers) Would be EBG13.
------------------------------------------------------------------------------
Posted Image
-Wikipedia Article
-Online ROT13 Translator

  • Guests
  • Last active:
  • Joined: --
Still... how do u decode value? Whats the value data? What does it stand for?

Petes
  • Guests
  • Last active:
  • Joined: --

Still... how do u decode value? Whats the value data? What does it stand for?


The value data is HEX so you just need to convert to DEC for numbers and to BIN for ASCII characters.

This program makes it for you: http://www.nirsoft.n...ssist_view.html

Petes
  • Guests
  • Last active:
  • Joined: --
Or just use the HEX to convert to ASCII. :roll: