If you have missed the first part, read it here. In the second part we are taking a look at cleaning your UserAssist entries every time you log off.
General Thoughts On Backdoors
Obviously you could delete UserAssist entries more frequently using tools like AutoHotkey, but keep in mind if the NSA has a backdoor on Windows they will probably use certain triggers. It is quite obvious that one of the easiest triggers to send out data is every time you log on or off. At that time, your machine is very vulnerable. In general, it takes a few seconds for programs to start or close. During that time a firewall is not capable of blocking any intruders or applications requesting an outgoing connection. Also, any network analyzers will have a hard time to catch that. So, basically the best time to send a request would be during start-up. Of course, the most efficient backdoors use system services so you will never know when data will be sent out.
UserAssist: Keeping A Clean Record
Using a simple batch file and a registry file we can clear the UserAssist every time we log off. This is actually quite easy on all Windows version that include the policy editor. Let’s get to work:
Creating The Batch File To Drop The Registry Entry
1. Step Next, we create a batch file that will execute this registry file.
2. Step Open an empty text file again and insert
reg delete HKEY_CURRENT_USER\Software\Microsoft\
(Replace reg.reg with the name of your actual registry file, whatever you called it)
3. Step Now save the batch file with the extension .bat – follow the same procedure as in step 3 (select Batch file from the Save as dropdown in notepad++, in Notepad select “All Files”
4. Step A correct batch file will show up (with the gear icon) as soon as you save the file:
9. Step Alrighty, now we have a batch file that drops the registry item UserAssist that is logging your frequently used programs. There are a few methods we can use now to execute this script whenever we log off
Update: This Is Optional (If The Batch Above Doesn’t Work For You, Try This
1. Step Open a plain text file (I use notepad++ for this) and insert the following code including the first line
Windows Registry Editor Version 5.00
2. Step Important: Note the “-” in front of the key, this basically tells the Windows registry to drop this registry entry and all subentries!
3. Step Alright, now save the text file as a .reg file. To do that you need to actually enter the extension .reg and when you’re saving the file select “All Files” (in notepad). In notepad++ you select MS ini file.
4. Step If the text file icon does NOT change to that of a registry icon, then you did something wrong and need to go back and save the file again PROPERLY.
Drop Script / Registry Tweak In GroupPolicy Scripts Directory (Important To Avoid UAC)
1. Step Open the Windows Explorer
2. Step Copy and paste this into the address bar
3. Step Next, create a directory Scripts/Logoff.
4. Step Copy the batch script (I called it delete-user-assist.bat) we created into this directory. You may need to provide admin rights to copy the batch file into this folder. In this case that’s a good thing, because it will allow us to execute scripts with admin rights!
5. Step Copy the registry file too (if you created it)
Use Group Policy Editor To Execute Batch Script Whenever We Log Off / On
1. Step Search for gpedit.msc – enter exactly as seen below. The group policy editor is also available on Windows 7
2. Step Uncollapse User Configuration, Windows Settings and select Scripts
3. Step Now add the batch file we created
Testing That Everything Works!
1. Step Download UserAssistView
2. Step Finally, log off. When you log in again, do NOT start Chrome, Firefox etc.
3. Step Go directly to your downloads folder and open UserAssistView
4. Step Now hit F5 to fresh the list and you should the latest entries. If you don’t see Chrome, everything worked. If you see Chrome go through the steps above again. A common issue may be that you did not copy the batch file into the correct folder as described above. It is important it goes into the folder %WINDIR%\system32\GroupPolicy\User\Scripts\Logoff
Voilà, if the NSA or anyone is tracking what programs you use, they will now have a hard time to keep track! Well, there’s one more thing we have to do and that is clear the index.dat file – a common file that is storing all of your websites and other info