Yet Another Method Windows Uses to Log Your Computer Activity

Jeremy Bryan Smith aka Helamonster
08 June 2002, Update 04 March 2003, Update 18 August 2003

Update (04 March 2003):
I have converted this document from plain text to HTML. I also added a link describing how to set up logon/logoff scripts.

I was recently poking around my Windows registry, looking for a way to modify an explorer menu, when I happened upon a few suspicious keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
and:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Both keys contained a huge number of REG_BINARY entries with some odd looking key names. After looking through them for a while, I realized that the key names had been modified with the common ROT-13 string manipulation routine. So I decoded a few of them to see what the hell all this data was for. What I found was quit interesting. From here on, I will refer to the decoded key names as just the 'key names'.

All the key names begin with one of the following strings, which describe the rest of the key name text.

Key Name Type of data stored in key
UEME_RUNPIDL local files, titles of web pages
UEME_RUNPATH executables
UEME_CTLSESSION (entire string) always the first key written; unknown purpose
UEME_CTLCUACount unknown
UEME_UISCUT (entire string) unknown; clipboard cut ?
UEME_UIQCUT (entire string) unknown; clipboard cut ?
UEME_UIHOTKEY (entire string) unknown; hotkey pressed ?
UEME_RUNWMCMD unknown
UEME_RUNCPL execution of control panel applets
UEME_UITOOLBAR unknown; use of a tool bar button ?


The remainder of the key names ending in a colon (:) are the paths of file names, titles of web pages, or some other unknown data. The binary values for all of the keys except the UEME_CTLSESSION key are 16 bytes long. The UEME_CTLSESSION key's data is 8 bytes long. I have not found out what that data represents, but I think it is probably a date/time value. Some of the entries containing file paths use the following variables:
%csidl2% = start menu programs directory
%csidl6% = favorites directory


FYI: A PIDL is a Pointer to an ID List. Every item in Explorer's namespace, whether it's a file, directory, Control Panel applet, or an object exposed by an extension, can be uniquely specified by its PIDL. See: http://www.codeproject.com/shell/namespcextguide1.asp#PIDLs
for more information on PIDLs.

Here are a few examples of what I found, in "key name"=hex:value format:

"UEME_RUNPIDL:2600 - The Hacker Quarterly Info"=hex:61,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
"UEME_CTLCUACount:ctor"=hex:00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
"UEME_RUNPIDL:saturn_rings_false.jpg"=hex:61,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
"UEME_RUNPATH:D:\installs\drivers\nVidia Riva TNT (STB Velocity 4400)\28.32_winxp.exe"=hex:66,00,00,00,06,00,00,00,e0,0c,ff,e8,81,d1,c1,01
"UEME_RUNPIDL:C:\profiles\Helamonster\Recent\Aqua - Doctor Jones.mp3.lnk"=hex:66,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
"UEME_RUNPIDL:IPN.doc"=hex:7c,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
"UEME_RUNPATH:\\Helamonster\resource\meg102w2k.exe"=hex:99,00,00,00,06,00,00,00,40,b8,e5,a7,c1,f4,c1,01
"UEME_UITOOLBAR:0x1,122"=hex:b6,00,00,00,09,00,00,00,b0,c5,70,f3,2f,0a,c2,01
"UEME_RUNWMCMD:0x2,113"=hex:01,00,00,00,06,00,00,00,30,41,98,03,6e,8a,c1,01


I did not like this at all! At first, I thought I might have been infected by a trojan or something. But I found that in fact, EXPLORER.EXE is the program that writes these keys. I also did a little searching on the internet and found that a few people had the same keys, although they seemed to not know what they were (they didn't even notice the ROT-13). The EXE had not been modified from the Windows 2000 Service Pack 2 verison I had archived, which means it was probably not infected. I then checked my other computer, also running Windows 2000 SP2, and the same keys exist also with a bunch of entries (although fewer, because I use that computer less). So at this point I am reasonably sure this activity is done soley by Microsoft.

My {5E6AB780-7743-11CF-A12B-00AA004AE837} key (5E key) contained less entries than my {75048700-EF1F-11D0-9888-006097DEACF9} key (75 key). The 5E key had only .url files (files in Internet Explorer's favorites menu) along with other things like UEME_UIHOTKEY, UEME_RUNWMCMD, UEME_UITOOLBAR, and others. It had no other local files and no titles of web pages. The 75 key had much more, including local files, titles of web pages, .url files in favorites, and a few others including UEME_RUNWMCMD.

Both keys had entries for files and URLs that I haven't accessed for years. And it appears that there are entries for things I accessed only when I first installed Windows (like drivers). This could mean that Windows logs this information and never deletes the log data. This bloats the registry, which fragments it, which slows Windows down. It took regedit 10 seconds to load and display all the keys in my 75 key (with a 1200mhz). The 75 key had 18,497 entries! The 5E key had 394 entries.

So then, I exported the keys to a text file for later inspection and deleted the keys from my registry. As soon as I double-clicked "My Computer," the keys were re-written (although the only entry at this point was UEME_CTLSESSION). I continued to access files and browse the web (with IE), and of course, the 75 key continued to gain entries.

After searching the internet, I found the following article (in German):
http://www.windows2000helpline.de/forum/showthread.php?s=63fd3abf847480c982b6e195b1c2bee4&threadid=29066
Which was copied here:
http://pub15.ezboard.com/fsecurityboardsfrm6.showMessage?topicID=628.topic
Which refers to a Microsoft article:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239062
I don't speak German, but I was able to determine that this guy noticed these registry keys before I did. He also found out that you can apparently add a registry key under: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\Settings as: NoEncrypt = 1 (DWORD) to make Windows not 'encrypt' the text of the registry key names. Of course, this does not 'decrypt' the current entries.


What to do? I just delete those dumb keys at every logon/logoff or manually by executing a script. I added those registry keys to my list that I regularly delete with a little win32 batch script I put together. I have text files called keys.kil, files.kil, dirs.kil that contain registry keys, filenames, or directory names (respectively) that I want to delete, all seperated by newlines. A file named 'yes' is created by the script that contains the character y and a newline (for answering yes to prompts). The 'C:\WINNT\system32\GroupPolicy\User\Scripts\cleanup.cmd' file contains the following:

-------------------------------------

@echo off
c:
cd "C:\WINNT\system32\GroupPolicy\User\Scripts"

echo:
echo:

echo y >yes
echo: >>yes

echo Attempting to delete stupid directories and subdirectories...
echo:

for /f "delims=?" %%i in (dirs.kil) do (
echo "%%i"...
deltree /y "%%i" <yes
)
echo:
echo:

echo Attempting to delete stupid registry entries and keys...
echo:

for /f "delims=?" %%i in (keys.kil) do (
echo "%%i"...
reg delete "%%i" /f >yes
)

echo:
echo:

echo Attempting to delete stupid files...
echo:

for /f "delims=?" %%i in (files.kil) do (
echo "%%i"...
if exist "%%i" attrib -s -h -r "%%i"
if exist "%%i" del "%%i"

)


-------------------------------------


Update (18 August 2003):
I have also written a program , User Assist Spy, to show exactly what information is stored in this portion of the registry. It also allows you to copy, or remove the information. Check it out on my software page.

Update (04 March 2003):
If you want Windows 2000 (or XP?) to execute this script every time you log in and/or log off for all users or just for a specific user, see the following howto:
HOW TO: Assign Scripts in Windows 2000

Windows 95/98/ME user's won't be able to use that method. You can just create a shortcut to the script in your (or the 'All Users') Start Menu's Startup folder, but I don't know how to execute a logoff script for those old systems. If you know, please let me know and I'll post it here.

Here is my complete list of registry keys I wipe out:

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
HKCU\Software\Microsoft\Internet Explorer\IntelliForms\SPW
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

And here are a few directories you will probably want to wipe out (you might need to change the variables):

%USERPROFILE%\Cookies
%USERPROFILE%\History
%USERPROFILE%\Recent
%USERPROFILE%\Local Settings\Temporary Internet Files
%USERPROFILE%\Local Settings\History
%USERPROFILE%\UserData
%USERPROFILE%\Application Data\Microsoft\Office\Recent
%USERPROFILE%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data
%SystemDrive%\recycled
%SystemDrive%\RECYCLER
%windir%\temp
%temp%

You may need to modify this to meet your specific needs.
Note that you will need deltree.exe and reg.exe, which do not come standard with Windows NT / 2000. REG.EXE comes in Microsoft Windows NT Server 4.0 Resource Kit. You can get an updated version of it here:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/i386/reg_x86.exe
DELTREE.EXE comes with MS-DOS and Windows 95/98/ME, which I'm sure you already have. Visit http://www3.sympatico.ca/rhwatson/dos7/z-deltree.html to find out which CAB file it is in for your version of Windows.

Of course, this does not solve the problem. It merely fixes the symptoms. Microsoft's products are known for archiving large amounts of personal data for no apparent reason. This includes internet addresses visited, local files accessed, email addresses, and so on. But I've personally never found such a large database of this type information before now. Storing info about internet history and recent documents makes sense, because all of this information is used to help the user access recently used information. But I see absolutely no reason for this huge registry database of information.