The Count keys are a couple of lesser known and
rather mysterious registry keys that are used to log some of your online and
offline activity. This leads one to believe that these are "spyware" keys
but it's important to realize that
these keys are also used by legitimate sources - both online and offline.
Installing hardware, software, making system changes and even just rebooting
your computer usually adds entries to the Count keys. And even online, many
sites you consider trustworthy may add info to these keys when you visit
them. Over time, this key can become quite inflated and not even deleting
all your History, Cookies and Temp files will clear the Count entries. So
even if you do not care about the logging, you may want to clear these keys
occasionally as part of your disk cleanup.
You do have choices here - the logging can be stopped or you can easily
delete these keys whenever you wish. No utiltities are needed to perform
these functions.
Just how many entries your count keys contain depend on how many unique
sites you explore and how often you make changes to your system and how much
software you install and configure. Having said that, I do not know if there
is a limit to how much this key can hold but in my testing I imported over
3000 values into it and they all held. But the norm is usually in the
hundreds, though I've heard of some users whose count keys had over 5,000
entries in them. So it all depends.
There really isn't much reliable information on the net about these keys.
So where are these keys?
First, you may have two Count keys which are subkeys of the UserAssist
key. These keys are in the same location in the Registry in all versions of
Windows:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\
UserAssist\ {5E6AB780-7743-11CF-A12B-00AA004AE837}\ Count
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\
UserAssist\ {75048700-EF1F-11D0-9888-006097DEACF9}\ Count
To get to them, click your Start button, then Run. Type regedit and click ok
and make your way to keys above.
When you look at the values in the right hand pane, you will see that the
names don't seem to make any sense:
i.e.; HRZR_EHACVQY:%pfvqy6%\Yvaxf\Tbbtyr-Tebhcf.hey
That's because the names are encrypted. I really can't tell you why
Microsoft chose to encrypt them but I can tell you that the encryption used
is a simple text rotation one known as ROT-13 that is child's play to
decode. The way this encryption works is by substituting letters - each
letter is replaced by the letter 13 positions ahead (and thus the name -
ROTation -13). For example, the letter a becomes the letter n. (bcdefghijklmn
= 13 letters), b becomes 0, c becomes p, etc. 13 letters covers the whole
alphabet: i.e.; if the letter is m it becomes z and if the letter is z
it becomes m. Numbers and other characters are left as is. You
sometimes see this encryption in newsgroup postings as a method to hide
offensive comments and many news readers allow decrypting such messages. In
Outlook Express, for example, you just open the message and click
Message>Unscramble.
So if we take the above example (which is actually a true entry from a test
on my own PC),
HRZR_EHACVQY:%pfvqy6%\Yvaxf\Tbbtyr-Tebhcf.hey translates to
UEME_RUNPIDL:%csidl6%\Links\Google-Groups.url
Still doesn't make the information totally clear but it does make it
readable and provides obvious clues as to who put the value in your
registry. As you can see in this example, it was Google who placed the value
there. And yes it was placed in the Count key when I went to the
Google Groups page.
Once you have decrypted a number of entries, you will notice that most
entries fall under one of the categories below: (but exactly what each
category holds is not really clear to me)
UEME_CTLSESSION: (the first value entered always seems to begin with this)
UEME_RUNPIDL: (info after seems seems to reference hard drive files and web
pages)
UEME_RUNCPL: (entries are usually added here after clicking on Control Panel
icons. The giveaway is CPL - Control Panel appLet.
UEME_RUNPATH: (this category is a giveaway too - RUN PATH - i.e.; run a file
such as an exe, com or bat file.
UEME_UITOOLBAR (perhaps for tracking changes you make to toolbars)
UEME_RUNWMCMD (another run command type value)
UEME_UIHOTKEY (hot keys?)
UEME_CTLCUACount: (counting something?)
and these two similar ones, which I do not know the use of:
UEME_UISCUT
UEME_UIQCUT
NOTE: I created a simple
encoder-decoder to simplify ROT-13 conversions. You can
download it
here. Then just double click it to open it and paste any ROT-13
code into one box and see the conversion in the other.
Or, if you prefer not to download the file, you can use the
online version of the converter here.
Removing Entries
You can safely delete the entire UserAssist key as it will be recreated
(whether you like it or not) when you reboot.
To delete the key:
Click Start>Run, type regedit and click Ok to launch the registry editor.
Make your way to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\UserAssist
Right click the UserAssist key and choose Delete.
Disabling Logging
You can also disable the logging by creating a new registry key and
value. No special program is needed to stop this logging.
Here's how:
Right click the UserAssist key and choose New>Key
Name the new key Settings.
Highlight the Settings key and in the right hand pane, right click a blank
area and choose New>Dword value.
Name it NoLog Then double click it and enter a value of 1. Done. The effect
will take place after you reboot your computer.
From then on, no new entries should be added to your Count keys but some
have reported that even after doing this, some entries slip through. In that
case, you can use the next tip to delete them with a reg file.
Double Click to Delete
You can also create a simple reg file to delete the entire UserAssist key
whenever you choose.
To do that, open up notepad and enter the following lines:
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\UserAssist]
Save the file with a .reg extension and place it wherever you find
convenient. Double click it anytime you wish to clear all your Count
entries. You will get a confirmation message asking you if you are sure you
want to add the info to the registry. Click Yes. (Don't miss the minus sign
in front of HKEY)
NOTE: If you're a Wintips&Tricks member,
you can download the file premade, if you prefer. If you are not a
member, you are more than welcome to join.
Just go to our Files section here:
http://groups.yahoo.com/group/WinTips-Tricks/files/
and look for CountDel.reg
Disable Encrypting
If you prefer to keep the logging enabled, you can disable the Rot-13
letter scrambling so that you can make more sense out of the values and dump
the need for any decoding utility. To do that, follow the steps for
"Disabling Logging" but name the New Dword value NoEncrypt, instead of NoLog
and also give it a value of 1.
