This is the artifacts which is inside the NTUSER.DAT file [ HKCU Registry ]. It will contain the information about what programs are executed inside the system.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\
- This can provide which program is executed on system.
- Provide the detail if the program is
executed via lnk or the executable. - Provide the
number of timesthe program is executed. - Provide the the last
Modification Time - Also provide the details like focus seconds of the executed program, path of the exectubale or lnk.
python3 main.py -f <Exported HKCU>
Program Execution Analysis using UserAssist Key in Modern Window