def UserAssist_F4E(): try: registry = Registry.Registry(NTUSER) path = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\" \ "{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count" key = registry.open(path) result = [] for v in key.values(): program_name = decode.ROT13(v.name()) program_name = decode.GUID_to_display_name(program_name) run_count = int.from_bytes(v.value()[4:8], byteorder="little", signed=False) if v.value( )[60: 68] == b'\x00\x00\x00\x00\x00\x00\x00\x00' or program_name == "UEME_CTLSESSION": last_executed_time = None else: last_executed_time = decode.convert_time(v.value()[60:68]) result.append([program_name, run_count, last_executed_time]) return result except: print( "Error while parsing UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}" ) return None
def UserAssist_CEB(): registry = Registry.Registry(NTUSER) path = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count" key = registry.open(path) result = [] for v in key.values(): program_name = decode.ROT13(v.name()) program_name = decode.GUID_to_display_name(program_name) run_count = int.from_bytes(v.value()[4:8], byteorder="little", signed=False) if v.value( )[60: 68] == b'\x00\x00\x00\x00\x00\x00\x00\x00' or program_name == "UEME_CTLSESSION": last_executed_time = None else: last_executed_time = decode.convert_time(v.value()[60:68]) result.append([program_name, run_count, last_executed_time]) return result