Skip to content

Latest commit

 

History

History
61 lines (54 loc) · 21.4 KB

userassist_monitor.md

File metadata and controls

61 lines (54 loc) · 21.4 KB

userassist_monitor.py

userassist_monitor.py is a tool that utilizes realtime ETL monitoring to watch UserAssist registry keys for changes and parse values.

usage: userassist_monitor.py [-h] [--format FORMAT_STR]

Monitor UserAssist via ETL. Version: 0.0.1
    

optional arguments:
  -h, --help           show this help message and exit
  --format FORMAT_STR  This is a python fstring to format output. Default
                       prints json lines.

Example

JSONL Output

C:\Python36\python.exe userassist_monitor.py
{'ProcessId': 8116, 'ThreadId': 14252, 'TimeStamp': '2019-02-10 04:13:14.445706', 'EventDescriptor': {'Opcode': 38, 'Keyword': 9223372036854776832, 'KeywordStr': 'QueryValueKey'}, 'KeyObject': 18446652304217692176, 'Status': 0, 'InfoClass': 2, 'DataSize': 84, 'KeyName': '', 'ValueName': '{6Q809377-6NS0-444O-8957-N3773S02200R}\\WrgOenvaf\\ClPunez Pbzzhavgl Rqvgvba 2018.3.3\\ova\\clpunez64.rkr', 'CapturedDataSize': 0, 'CapturedData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{6D809377-6AF0-444B-8957-A3773F02200E}\\JetBrains\\PyCharm Community Edition 2018.3.3\\bin\\pycharm64.exe', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{6Q809377-6NS0-444O-8957-N3773S02200R}\\WrgOenvaf\\ClPunez Pbzzhavgl Rqvgvba 2018.3.3\\ova\\clpunez64.rkr', 'UserAssist': {'session': 6, 'run_count': 28, 'focus_count': 757, 'focus_time': 3212836864, 'last_execution': '2019-02-10 00:21:45.266000'}}
{'ProcessId': 8116, 'ThreadId': 14252, 'TimeStamp': '2019-02-10 04:13:14.445838', 'EventDescriptor': {'Opcode': 36, 'Keyword': 9223372036854776064, 'KeywordStr': 'SetValueKey'}, 'KeyObject': 18446652304217692176, 'Status': 0, 'Type': 3, 'DataSize': 72, 'KeyName': '', 'ValueName': '{6Q809377-6NS0-444O-8957-N3773S02200R}\\WrgOenvaf\\ClPunez Pbzzhavgl Rqvgvba 2018.3.3\\ova\\clpunez64.rkr', 'CapturedDataSize': 0, 'CapturedData': None, 'PreviousDataType': 0, 'PreviousDataSize': 0, 'PreviousDataCapturedSize': 0, 'PreviousData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{6D809377-6AF0-444B-8957-A3773F02200E}\\JetBrains\\PyCharm Community Edition 2018.3.3\\bin\\pycharm64.exe', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{6Q809377-6NS0-444O-8957-N3773S02200R}\\WrgOenvaf\\ClPunez Pbzzhavgl Rqvgvba 2018.3.3\\ova\\clpunez64.rkr', 'UserAssist': {'session': 6, 'run_count': 28, 'focus_count': 757, 'focus_time': 3212836864, 'last_execution': '2019-02-10 00:21:45.266000'}}
{'ProcessId': 8116, 'ThreadId': 14252, 'TimeStamp': '2019-02-10 04:13:14.445878', 'EventDescriptor': {'Opcode': 36, 'Keyword': 9223372036854776064, 'KeywordStr': 'SetValueKey'}, 'KeyObject': 18446652304217692176, 'Status': 0, 'Type': 3, 'DataSize': 1612, 'KeyName': '', 'ValueName': 'HRZR_PGYFRFFVBA', 'CapturedDataSize': 0, 'CapturedData': None, 'PreviousDataType': 0, 'PreviousDataSize': 0, 'PreviousDataCapturedSize': 0, 'PreviousData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\UEME_CTLSESSION', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA', 'UserAssist': {'session': 6, 'run_count': 352, 'focus_count': 2333, 'focus_time': 7471203, 'last_execution': '1708-01-15 02:09:16.103692'}}
{'ProcessId': 8116, 'ThreadId': 12156, 'TimeStamp': '2019-02-10 04:13:17.570646', 'EventDescriptor': {'Opcode': 38, 'Keyword': 9223372036854776832, 'KeywordStr': 'QueryValueKey'}, 'KeyObject': 18446652304217692176, 'Status': 0, 'InfoClass': 2, 'DataSize': 84, 'KeyName': '', 'ValueName': 'Zvpebfbsg.Jvaqbjf.Pbegnan_pj5a1u2gklrjl!PbegnanHV', 'CapturedDataSize': 0, 'CapturedData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.Jvaqbjf.Pbegnan_pj5a1u2gklrjl!PbegnanHV', 'UserAssist': {'session': 6, 'run_count': 0, 'focus_count': 35, 'focus_time': 1027558284, 'last_execution': '1601-01-01 00:00:00'}}
{'ProcessId': 8116, 'ThreadId': 12156, 'TimeStamp': '2019-02-10 04:13:17.570752', 'EventDescriptor': {'Opcode': 36, 'Keyword': 9223372036854776064, 'KeywordStr': 'SetValueKey'}, 'KeyObject': 18446652304217692176, 'Status': 0, 'Type': 3, 'DataSize': 72, 'KeyName': '', 'ValueName': 'Zvpebfbsg.Jvaqbjf.Pbegnan_pj5a1u2gklrjl!PbegnanHV', 'CapturedDataSize': 0, 'CapturedData': None, 'PreviousDataType': 0, 'PreviousDataSize': 0, 'PreviousDataCapturedSize': 0, 'PreviousData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.Jvaqbjf.Pbegnan_pj5a1u2gklrjl!PbegnanHV', 'UserAssist': {'session': 6, 'run_count': 0, 'focus_count': 35, 'focus_time': 1027558284, 'last_execution': '1601-01-01 00:00:00'}}
{'ProcessId': 8116, 'ThreadId': 12156, 'TimeStamp': '2019-02-10 04:13:17.570788', 'EventDescriptor': {'Opcode': 36, 'Keyword': 9223372036854776064, 'KeywordStr': 'SetValueKey'}, 'KeyObject': 18446652304217692176, 'Status': 0, 'Type': 3, 'DataSize': 1612, 'KeyName': '', 'ValueName': 'HRZR_PGYFRFFVBA', 'CapturedDataSize': 0, 'CapturedData': None, 'PreviousDataType': 0, 'PreviousDataSize': 0, 'PreviousDataCapturedSize': 0, 'PreviousData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\UEME_CTLSESSION', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA', 'UserAssist': {'session': 6, 'run_count': 353, 'focus_count': 2334, 'focus_time': 7471203, 'last_execution': '1708-01-15 02:09:16.103692'}}
{'ProcessId': 8116, 'ThreadId': 12156, 'TimeStamp': '2019-02-10 04:13:17.812922', 'EventDescriptor': {'Opcode': 38, 'Keyword': 9223372036854776832, 'KeywordStr': 'QueryValueKey'}, 'KeyObject': 18446652304215097792, 'Status': 0, 'InfoClass': 2, 'DataSize': 84, 'KeyName': '', 'ValueName': '{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\\Flfgrz Gbbyf\\Pbzznaq Cebzcg.yax', 'CapturedDataSize': 0, 'CapturedData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\System Tools\\Command Prompt.lnk', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\\Flfgrz Gbbyf\\Pbzznaq Cebzcg.yax', 'UserAssist': {'session': 6, 'run_count': 16, 'focus_count': 0, 'focus_time': 3212836864, 'last_execution': '2019-02-10 04:13:17.812000'}}
{'ProcessId': 8116, 'ThreadId': 12156, 'TimeStamp': '2019-02-10 04:13:17.813002', 'EventDescriptor': {'Opcode': 36, 'Keyword': 9223372036854776064, 'KeywordStr': 'SetValueKey'}, 'KeyObject': 18446652304215097792, 'Status': 0, 'Type': 3, 'DataSize': 72, 'KeyName': '', 'ValueName': '{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\\Flfgrz Gbbyf\\Pbzznaq Cebzcg.yax', 'CapturedDataSize': 0, 'CapturedData': None, 'PreviousDataType': 0, 'PreviousDataSize': 0, 'PreviousDataCapturedSize': 0, 'PreviousData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\System Tools\\Command Prompt.lnk', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\\Flfgrz Gbbyf\\Pbzznaq Cebzcg.yax', 'UserAssist': {'session': 6, 'run_count': 16, 'focus_count': 0, 'focus_time': 3212836864, 'last_execution': '2019-02-10 04:13:17.812000'}}
{'ProcessId': 8116, 'ThreadId': 12156, 'TimeStamp': '2019-02-10 04:13:17.813026', 'EventDescriptor': {'Opcode': 36, 'Keyword': 9223372036854776064, 'KeywordStr': 'SetValueKey'}, 'KeyObject': 18446652304215097792, 'Status': 0, 'Type': 3, 'DataSize': 1612, 'KeyName': '', 'ValueName': 'HRZR_PGYFRFFVBA', 'CapturedDataSize': 0, 'CapturedData': None, 'PreviousDataType': 0, 'PreviousDataSize': 0, 'PreviousDataCapturedSize': 0, 'PreviousData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\UEME_CTLSESSION', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\HRZR_PGYFRFFVBA', 'UserAssist': {'session': 6, 'run_count': 248, 'focus_count': 0, 'focus_time': 3342405, 'last_execution': '1641-02-20 09:48:19.852295'}}
{'ProcessId': 8116, 'ThreadId': 12156, 'TimeStamp': '2019-02-10 04:13:17.813032', 'EventDescriptor': {'Opcode': 38, 'Keyword': 9223372036854776832, 'KeywordStr': 'QueryValueKey'}, 'KeyObject': 18446652304215097792, 'Status': 0, 'InfoClass': 2, 'DataSize': 84, 'KeyName': '', 'ValueName': '{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\\Flfgrz Gbbyf\\Pbzznaq Cebzcg.yax', 'CapturedDataSize': 0, 'CapturedData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\System Tools\\Command Prompt.lnk', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\\Flfgrz Gbbyf\\Pbzznaq Cebzcg.yax', 'UserAssist': {'session': 6, 'run_count': 16, 'focus_count': 0, 'focus_time': 3212836864, 'last_execution': '2019-02-10 04:13:17.812000'}}
{'ProcessId': 8116, 'ThreadId': 12156, 'TimeStamp': '2019-02-10 04:13:17.813048', 'EventDescriptor': {'Opcode': 36, 'Keyword': 9223372036854776064, 'KeywordStr': 'SetValueKey'}, 'KeyObject': 18446652304215097792, 'Status': 0, 'Type': 3, 'DataSize': 72, 'KeyName': '', 'ValueName': '{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\\Flfgrz Gbbyf\\Pbzznaq Cebzcg.yax', 'CapturedDataSize': 0, 'CapturedData': None, 'PreviousDataType': 0, 'PreviousDataSize': 0, 'PreviousDataCapturedSize': 0, 'PreviousData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\System Tools\\Command Prompt.lnk', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\\Flfgrz Gbbyf\\Pbzznaq Cebzcg.yax', 'UserAssist': {'session': 6, 'run_count': 16, 'focus_count': 0, 'focus_time': 3212836864, 'last_execution': '2019-02-10 04:13:17.812000'}}
{'ProcessId': 8116, 'ThreadId': 12156, 'TimeStamp': '2019-02-10 04:13:17.813060', 'EventDescriptor': {'Opcode': 36, 'Keyword': 9223372036854776064, 'KeywordStr': 'SetValueKey'}, 'KeyObject': 18446652304215097792, 'Status': 0, 'Type': 3, 'DataSize': 1612, 'KeyName': '', 'ValueName': 'HRZR_PGYFRFFVBA', 'CapturedDataSize': 0, 'CapturedData': None, 'PreviousDataType': 0, 'PreviousDataSize': 0, 'PreviousDataCapturedSize': 0, 'PreviousData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\UEME_CTLSESSION', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\HRZR_PGYFRFFVBA', 'UserAssist': {'session': 6, 'run_count': 248, 'focus_count': 0, 'focus_time': 3342405, 'last_execution': '1641-02-20 09:48:19.852295'}}
{'ProcessId': 8116, 'ThreadId': 12156, 'TimeStamp': '2019-02-10 04:13:17.813082', 'EventDescriptor': {'Opcode': 38, 'Keyword': 9223372036854776832, 'KeywordStr': 'QueryValueKey'}, 'KeyObject': 18446652304217692176, 'Status': 0, 'InfoClass': 2, 'DataSize': 84, 'KeyName': '', 'ValueName': '{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr', 'CapturedDataSize': 0, 'CapturedData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\cmd.exe', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr', 'UserAssist': {'session': 6, 'run_count': 16, 'focus_count': 156, 'focus_time': 1048515261, 'last_execution': '2019-02-10 04:13:17.812000'}}
{'ProcessId': 8116, 'ThreadId': 12156, 'TimeStamp': '2019-02-10 04:13:17.813110', 'EventDescriptor': {'Opcode': 36, 'Keyword': 9223372036854776064, 'KeywordStr': 'SetValueKey'}, 'KeyObject': 18446652304217692176, 'Status': 0, 'Type': 3, 'DataSize': 72, 'KeyName': '', 'ValueName': '{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr', 'CapturedDataSize': 0, 'CapturedData': None, 'PreviousDataType': 0, 'PreviousDataSize': 0, 'PreviousDataCapturedSize': 0, 'PreviousData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\cmd.exe', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr', 'UserAssist': {'session': 6, 'run_count': 16, 'focus_count': 156, 'focus_time': 1048515261, 'last_execution': '2019-02-10 04:13:17.812000'}}
{'ProcessId': 8116, 'ThreadId': 12156, 'TimeStamp': '2019-02-10 04:13:17.813124', 'EventDescriptor': {'Opcode': 36, 'Keyword': 9223372036854776064, 'KeywordStr': 'SetValueKey'}, 'KeyObject': 18446652304217692176, 'Status': 0, 'Type': 3, 'DataSize': 1612, 'KeyName': '', 'ValueName': 'HRZR_PGYFRFFVBA', 'CapturedDataSize': 0, 'CapturedData': None, 'PreviousDataType': 0, 'PreviousDataSize': 0, 'PreviousDataCapturedSize': 0, 'PreviousData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\UEME_CTLSESSION', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA', 'UserAssist': {'session': 6, 'run_count': 353, 'focus_count': 2334, 'focus_time': 7471203, 'last_execution': '1708-01-15 02:09:16.103692'}}
{'ProcessId': 8116, 'ThreadId': 100, 'TimeStamp': '2019-02-10 04:13:17.813684', 'EventDescriptor': {'Opcode': 38, 'Keyword': 9223372036854776832, 'KeywordStr': 'QueryValueKey'}, 'KeyObject': 18446652304217692176, 'Status': 0, 'InfoClass': 2, 'DataSize': 84, 'KeyName': '', 'ValueName': '{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr', 'CapturedDataSize': 0, 'CapturedData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\cmd.exe', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr', 'UserAssist': {'session': 6, 'run_count': 16, 'focus_count': 156, 'focus_time': 1048515261, 'last_execution': '2019-02-10 04:13:17.812000'}}
{'ProcessId': 8116, 'ThreadId': 100, 'TimeStamp': '2019-02-10 04:13:17.813690', 'EventDescriptor': {'Opcode': 38, 'Keyword': 9223372036854776832, 'KeywordStr': 'QueryValueKey'}, 'KeyObject': 18446652304217692176, 'Status': 0, 'InfoClass': 2, 'DataSize': 84, 'KeyName': '', 'ValueName': '{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr', 'CapturedDataSize': 0, 'CapturedData': None, 'ValueNameDecoded': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\cmd.exe', 'ValueFullPath': '\\REGISTRY\\USER\\S-1-5-21-2350377626-499376046-3523757530-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr', 'UserAssist': {'session': 6, 'run_count': 16, 'focus_count': 156, 'focus_time': 1048515261, 'last_execution': '2019-02-10 04:13:17.812000'}}

Formatted Output

C:\Python36\python.exe userassist_monitor.py --format "{record['TimeStamp']} [{record['EventDescriptor']['KeywordStr']}]: App: {os.path.basename(record['ValueNameDecoded'])} Last Execution: {record['UserAssist']['last_execution']} Run Count: {record['UserAssist']['run_count']} Focus Count: {record['UserAssist']['focus_count']}"
2019-02-10 04:10:20.160322 [QueryValueKey]: App: pycharm64.exe Last Execution: 2019-02-10 00:21:45.266000 Run Count: 28 Focus Count: 755
2019-02-10 04:10:20.160456 [SetValueKey]: App: pycharm64.exe Last Execution: 2019-02-10 00:21:45.266000 Run Count: 28 Focus Count: 755
2019-02-10 04:10:20.160520 [SetValueKey]: App: UEME_CTLSESSION Last Execution: 1708-01-15 02:09:16.103692 Run Count: 350 Focus Count: 2330
2019-02-10 04:10:22.787306 [QueryValueKey]: App: Microsoft.WindowsCalculator_8wekyb3d8bbwe!App Last Execution: 2019-02-10 04:10:22.787000 Run Count: 14 Focus Count: 11
2019-02-10 04:10:22.787386 [SetValueKey]: App: Microsoft.WindowsCalculator_8wekyb3d8bbwe!App Last Execution: 2019-02-10 04:10:22.787000 Run Count: 14 Focus Count: 11
2019-02-10 04:10:22.787410 [SetValueKey]: App: UEME_CTLSESSION Last Execution: 1708-01-15 02:09:16.103692 Run Count: 351 Focus Count: 2330
2019-02-10 04:10:22.787868 [QueryValueKey]: App: Microsoft.WindowsCalculator_8wekyb3d8bbwe!App Last Execution: 2019-02-10 04:10:22.787000 Run Count: 14 Focus Count: 11
2019-02-10 04:10:22.787872 [QueryValueKey]: App: Microsoft.WindowsCalculator_8wekyb3d8bbwe!App Last Execution: 2019-02-10 04:10:22.787000 Run Count: 14 Focus Count: 11
2019-02-10 04:10:22.792662 [QueryValueKey]: App: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI Last Execution: 1601-01-01 00:00:00 Run Count: 0 Focus Count: 34
2019-02-10 04:10:22.792700 [SetValueKey]: App: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI Last Execution: 1601-01-01 00:00:00 Run Count: 0 Focus Count: 34
2019-02-10 04:10:22.792720 [SetValueKey]: App: UEME_CTLSESSION Last Execution: 1708-01-15 02:09:16.103692 Run Count: 351 Focus Count: 2330
2019-02-10 04:10:25.495542 [QueryValueKey]: App: Microsoft.WindowsCalculator_8wekyb3d8bbwe!App Last Execution: 2019-02-10 04:10:22.787000 Run Count: 14 Focus Count: 11
2019-02-10 04:10:25.495604 [SetValueKey]: App: Microsoft.WindowsCalculator_8wekyb3d8bbwe!App Last Execution: 2019-02-10 04:10:22.787000 Run Count: 14 Focus Count: 11
2019-02-10 04:10:25.495630 [SetValueKey]: App: UEME_CTLSESSION Last Execution: 1708-01-15 02:09:16.103692 Run Count: 352 Focus Count: 2330
2019-02-10 04:10:26.326290 [QueryValueKey]: App: pycharm64.exe Last Execution: 2019-02-10 00:21:45.266000 Run Count: 28 Focus Count: 755
2019-02-10 04:10:26.326428 [SetValueKey]: App: pycharm64.exe Last Execution: 2019-02-10 00:21:45.266000 Run Count: 28 Focus Count: 755
2019-02-10 04:10:26.326468 [SetValueKey]: App: UEME_CTLSESSION Last Execution: 1708-01-15 02:09:16.103692 Run Count: 352 Focus Count: 2330