NTUSER.DAT

WindowsUser ActivityDisk Image

Location

C:\Users\<username>\NTUSER.DAT

Common Names

NTUSER.DAT

Description

Per-user registry hive containing user-specific settings including recently opened files (RecentDocs), typed URLs, Run/RunOnce persistence keys, UserAssist encoded program execution records, and shell bags.

Forensic Value

UserAssist entries (ROT13-encoded) record every GUI program a user launched with execution count and last-run timestamp, providing evidence of interactive attacker tool usage. Run/RunOnce keys reveal per-user persistence mechanisms. RecentDocs and typed paths reconstruct the files and directories the user accessed.

Tools Required

KAPERegRipperRegistry Explorer (Eric Zimmerman)ShellBags Explorer

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target RegistryHives

reg.exe

reg save HKU\<SID> C:\output\NTUSER.DAT

RegRipper

rip.exe -r C:\output\NTUSER.DAT -p userassist

RECmd

RECmd.exe -f C:\output\NTUSER.DAT --bn BatchExamples\RECmd_Batch_MC.reb --csv C:\output --csvf NTUSER_RECmd.csv

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1547.001T1112T1552.001

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote