#-----------------------------------------------------------------------------#
				UserAssist.pl

			Copyright 2006	Jake Cunningham
			jakec76@users.sourceforge.net

Background:
-----------

This script parses the \HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count registry key found in a 
NTUSER.DAT file of a Win2k,XP,2k3 system.

The NTUSER.DAT file is a Windows Registry file which contains specific user
profile information. There is typically one file per user and is located in
C:\Documents and Settings\<USERNAME>\  

There may also be NTUSER.DAT files found in 
C:\Documents and Settings\All Users\  
C:\Documents and Settings\Default User\  

The contents of the NTUSER.DAT registry file is displayed under the 
HKEY_CURRENT_USER section of the registry when viewed in Window's "regedit".


The registry key:

\HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

found in each NTUSER.DAT file contains information about what programs were 
run, the last time the program was run, and the total number of times it was 
run. 

The data in this key can provide valuable information for a forensic 
investigation.


Usage:
--------

After extracting the NTUSER.DAT files for the relevant users using your
data recovery tool of choice:

./UserAssist.pl -f NTUSER.DAT


For the full list of available options:
./UserAssist.pl -h

         -h This help info
         -f <filename>
         -t [Use Tab delimited output instead of default ","]
         -n Supress the output of the original ROT13 encoded value

Caveats:
--------
- Times displayed are in localtime of the parsing system, and may not
reflect the actual timezone offset of the originating host.

- If time/date column displays "<No Date>" it could mean there is data, it's
just not a meaningful date.

- If the number of times run column displays "<No Data>" it means the count is
less than 0 when the 5 points are subtracted.

Dependecies:
------------
This script requires the Parse::Win32Registry PERL module, unless
you are using the compiled binary distribution of this file.


LICENSE:
--------
 Copyright (C) 2006 by Jacob Cunningham.  All rights reserved
 This program is free software; you can redistribute it and/or modify it 
 under the terms of the GNU General Public License as published by the 
 Free Software Foundation; either version 2 of the License, or (at your 
 option) any later version.

 This program is distributed in the hope that it will be useful, but 
 WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 
 for more details.

 You should have received a copy of the GNU General Public License along 
 with this program; if not, write to the Free Software Foundation, Inc., 
 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA