UserAssist binary value is returned incomplete

[nrrpinto]

From HIVE file NTUSER.DAT, I want to extract the content of Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count.

All seems good, except the binary data, just 64 bytes are returned; however the complete binary string is 72 bytes.

Example:

This is what should return:

This is what returns: 9200 0000 0000 0000 0000 0000 0000 0000 9976 043d 5c5c a73d 96d2 8c3d 9550 333d 1a1a 1b3c b31a 4a3d 455d c63b b524 c93b d598 393d caff fc3d 0800 0000 5026 b568

The code I am using that writes the retrieved data into a CSV file:

import regipy
import Rot13

hive = regipy.registry.RegistryHive(r"<path_to_hive>\NTUSER.DAT")
key = "NTUSER.DAT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"

uaf = open("userassist.csv","w",encoding="UTF-8")
uaf.write("timestamp,User,Index,Object,Encoded,binary,Type\n")

for entry in hive.recurse_subkeys(hive.get_key(key),as_json=True):
    if entry.values_count <= 1:
        continue
    GUID_Type = ""
    index_i = 0

    if entry.path == "\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count":
        GUID_Type = "Objects that have been accessed."
    elif entry.path == "\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count":
        GUID_Type = "Shortcut links used to start programs."

    for value in entry.values:
        application_encoded = value["name"]
        application_fullpath = Rot13.func(value["name"])
        binary_value = value["value"]
        uaf.write(f"timestamp,User,{index_i},{application_fullpath},{application_encoded},{binary_value},{GUID_Type}\n")
        index_i += 1

uaf.close()

[mkorman90]

The recurse_subkeys function trims value by default (I have to add support for the trim_values parameter).

Meanwhile, look at the user assist parsing example at https://github.com/mkorman90/regipy/blob/master/regipy/plugins/ntuser/user_assist.py#L80

It is possible to fetch the subkey itself, then use subkey.iter_values(trim_values=False) to iterate over the values.