Understanding the Most Frequently Used (MFU) registry key

Have you ever wondered what the gibberish in the MFU key is? These are the items that get populated dynamically in the start menu when you click on an item.

Analysing the key shows some not so obvious items. They are in fact filepath / filename pairs to the files initiated from the start menu.

For some reason Microsoft felt the need to encrypt the entries, presumably from prying eyes. The question I am unable to answer is why?

Anyway the encryption MS chose is a rather simple key substition named ROT-13. Simply, if the alphabet is number 1-26 with A =1, take a character and add 13 to it. For letters toward the end of the alphabet add up to 26, then start at 1.

With scripting this I used an alternate method that was easier to code, see my reference at the bottom of this post for the decrypt rot-13 script.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{7504
8700-EF1F-11D0-9888-006097DEACF9}\count

HRZR_PGYFRFFVBA REG_BINARY C124430E01000000
HRZR_PGYPHNPbhag:pgbe REG_BINARY
01000000020000000000000000000000
HRZR_EHAPCY REG_BINARY 0100000006000000A04C12589864C801
HRZR_EHAPCY:qrfx.pcy REG_BINARY
0100000006000000A04C12589864C801
HRZR_EHACNGU REG_BINARY 010000001300000020E6A157DE66C801
HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\zzp.rkr REG_BINARY
0100000006000000405D7EF5CC66C801
HRZR_EHACNGU:Q:\frghc.rkr REG_BINARY
010000000600000080794A9ACD66C801
HRZR_EHACVQY REG_BINARY 010000000D00000080DE7657DE66C801
HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\zfugn.rkr REG_BINARY
01000000060000001076BCA0D266C801
HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\gbhefgneg.rkr REG_BINARY
01000000000000000000000000000000
HRZR_EHACNGU:P:\Cebtenz Svyrf\Jvaqbjf Zrqvn Cynlre\jzcynlre.rkr
REG_BINARY 01000000000000000000000000000000
HRZR_EHACNGU:P:\JVAQBJF\rkcybere.rkr REG_BINARY
0100000006000000C0E3DCDDD466C801
HRZR_EHACNGU:P:\Cebtenz Svyrf\Vagrearg Rkcybere\vrkcyber.rkr
REG_BINARY 010000000A00000000B43246DE66C801
HRZR_EHACVQY:::{2559N1S4-21Q7-11Q4-OQNS-00P04S60O9S0} REG_BINARY
010000000800000080EF4239DE66C801
HRZR_EHACVQY:%pfvqy2%\Vagrearg Rkcybere.yax REG_BINARY
010000000600000030A11F46DE66C801
HRZR_EHACVQY:%pfvqy2%\Nqbor Ernqre 8.yax REG_BINARY
010000000600000080DE7657DE66C801
HRZR_EHACNGU:P:\Cebtenz Svyrf\Nqbor\Ernqre 8.0\Ernqre\NpebEq32.rkr
REG_BINARY 010000000600000020E6A157DE66C801
HRZR_EHACNGU:{NP76ON86-7NQ7-1033-7O44-N81000000003} REG_BINARY
010000000600000020E6A157DE66C801


Decrypted

ueme_ctlsession
ueme_ctlcuacount:ctor
ueme_runcpl ert_ovanel
ueme_runcpl:desk.cpl
ueme_runpath
ueme_runpath:c:\windows\system32\mmc.exe
ueme_runpath:d:\setup.exe
ueme_runpidl
ueme_runpath:c:\windows\system32\mshta.exe
ueme_runpath:c:\windows\system32\tourstart.exe
ueme_runpath:c:\program files\windows media player\wmplayer.exe ueme_runpath:c:\windows\explorer.exe
ueme_runpath:c:\program files\internet explorer\iexplore.exe
ueme_runpidl:::{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}
ueme_runpidl:%csidl2%\internet explorer.lnk ueme_runpidl:%csidl2%\adobe reader 8.lnk ueme_runpath:c:\program files\adobe\reader 8.0\reader\acrord32.exe
ueme_runpath:{ac76ba86-7ad7-1033-7b44-a81000000003}

Decrypt / Encrypt string using ROT-13 Encryption
http://cmb-it.blogspot.com/2008/05/decrypt-encrypt-string-in-rot-13.html