def UserAssist_F4E():
try:
registry = Registry.Registry(NTUSER)
path = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\" \
"{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count"
key = registry.open(path)
result = []
for v in key.values():
program_name = decode.ROT13(v.name())
program_name = decode.GUID_to_display_name(program_name)
run_count = int.from_bytes(v.value()[4:8],
byteorder="little",
signed=False)
if v.value(
)[60:
68] == b'\x00\x00\x00\x00\x00\x00\x00\x00' or program_name == "UEME_CTLSESSION":
last_executed_time = None
else:
last_executed_time = decode.convert_time(v.value()[60:68])
result.append([program_name, run_count, last_executed_time])
return result
except:
print(
"Error while parsing UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}"
)
return None
def UserAssist_CEB():
registry = Registry.Registry(NTUSER)
path = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count"
key = registry.open(path)
result = []
for v in key.values():
program_name = decode.ROT13(v.name())
program_name = decode.GUID_to_display_name(program_name)
run_count = int.from_bytes(v.value()[4:8],
byteorder="little",
signed=False)
if v.value(
)[60:
68] == b'\x00\x00\x00\x00\x00\x00\x00\x00' or program_name == "UEME_CTLSESSION":
last_executed_time = None
else:
last_executed_time = decode.convert_time(v.value()[60:68])
result.append([program_name, run_count, last_executed_time])
return result