Add UserAssist table

[puffyCid]

This PR adds a UsserAssist table for Windows systems.
The UserAssist Registry key tracks of what applications were executed on the system.
https://www.magnetforensics.com/blog/artifact-profile-userassist/
https://www.hecfblog.com/2013/08/daily-blog-45-understanding-artifacts.html

Let me know if additional edits need to be made

osquery> select * from userassist;
+------------------------------------------------------------------------------------------------------------------+--------------------------+-------+--------------------------------------------+
| path                                                                                                             | last_execution_time      | count | sid                                        |
+------------------------------------------------------------------------------------------------------------------+--------------------------+-------+--------------------------------------------+
| UEME_CTLCUACount:ctor                                                                                            |                          |       | S-1-5-21-7825111-416168317-3060585499-1001 |
| Microsoft.Getstarted_8wekyb3d8bbwe!App                                                                           | Thu Feb 21 01:46:04 2019 | 14    | S-1-5-21-7825111-416168317-3060585499-1001 |
| UEME_CTLSESSION                                                                                                  |                          |       | S-1-5-21-7825111-416168317-3060585499-1001 |
| Microsoft.Office.Sway_8wekyb3d8bbwe!Microsoft.Sway                                                               | Thu Feb 21 01:46:04 2019 | 13    | S-1-5-21-7825111-416168317-3060585499-1001 |
| Microsoft.WindowsMaps_8wekyb3d8bbwe!App                                                                          | Thu Feb 21 01:46:04 2019 | 12    | S-1-5-21-7825111-416168317-3060585499-1001 |
| Microsoft.People_8wekyb3d8bbwe!x4c7a3b7dy2188y46d4ya362y19ac5a5805e5x                                            | Thu Feb 21 01:46:04 2019 | 11    | S-1-5-21-7825111-416168317-3060585499-1001 |
| Microsoft.WindowsCalculator_8wekyb3d8bbwe!App                                                                    | Thu Feb 21 01:46:04 2019 | 10    | S-1-5-21-7825111-416168317-3060585499-1001 |
| Microsoft.WindowsAlarms_8wekyb3d8bbwe!App                                                                        | Thu Feb 21 01:46:04 2019 | 9     | S-1-5-21-7825111-416168317-3060585499-1001 |
| {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\SnippingTool.exe                                                          | Thu Feb 21 01:46:04 2019 | 8     | S-1-5-21-7825111-416168317-3060585499-1001 |
| {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe                                                               | Thu Feb 21 01:46:04 2019 | 7     | S-1-5-21-7825111-416168317-3060585499-1001 |
| {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe                                                               | Mon Mar 25 04:25:31 2019 | 8     | S-1-5-21-7825111-416168317-3060585499-1001 |
| Microsoft.Windows.StickyNotes                                                                                    | Thu Feb 21 01:46:04 2019 | 5     | S-1-5-21-7825111-416168317-3060585499-1001 |
| Microsoft.Windows.Explorer                                                                                       | Tue Mar 26 03:07:30 2019 | 12    | S-1-5-21-7825111-416168317-3060585499-1001 |
| {F38BF404-1D43-42F2-9305-67DE0B28FC23}\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe      | Wed Apr 22 19:24:48 2009 | 0     | S-1-5-21-7825111-416168317-3060585499-1001 |
| {F38BF404-1D43-42F2-9305-67DE0B28FC23}\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe           | Wed Apr 22 19:24:48 2009 | 0     | S-1-5-21-7825111-416168317-3060585499-1001 |
| Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge                                                              | Thu Feb 21 01:49:25 2019 | 1     | S-1-5-21-7825111-416168317-3060585499-1001 |
| C:\Users\bob\Desktop\W10Privacy.exe                                                                              | Mon Mar 25 04:19:51 2019 | 4     | S-1-5-21-7825111-416168317-3060585499-1001 |
+------------------------------------------------------------------------------------------------------------------+--------------------------+-------+--------------------------------------------+

[puffyCid]

Is there anything I need to add or change for this to get reviewed/merged?
Any feedback/comments would be great!

[directionless]

I can't speak to the implementation, but I think this should have tests. Possible a sample file for them.

[linux-foundation-easycla]

The committers are authorized under a signed CLA.

• ✅ puffyCid (a70abc1, db0d8b6, 21a8ce1, 8c34b09, 72a04af, 77fd976, 7529da2, 435a826, 5b252c2, 0f3f190, 473a485, 02a96a2, ce51a08, 6bfbb2b, cca55d9, 2bafe9b, 90ea72a, f2b629f, e94cccb, 6748c33, 84e1af9, 7ffa576, 2cb0aad, 9449ec6, 454651c, 4a3a199, a4e1d63, affa947, c1a05cb, 151235d, 94279ca, 1c0535d, cc4821b, bb2dfdf)

[theopolis]

Also, let's rebase against master and change the target branch.

[puffyCid]

Also, let's rebase against master and change the target branch.

Rebased and target branch changed

[Smjert]

Could it be possible to add a more comprehensive test about the table functionality?
Like testing against known values or edge cases?

Unfortunately the "integration" test that's already present it really only serve the purpose of exposing major issues with the table spec and/or "communication" between the different modules, but it doesn't tell if the table is really working as expected and showing correct values.

[muffins]

Thanks for writing this table, this is gunna be super nifty to have! I had a couple of notes, but overall it's looking good. Just a few small changes and I think we'll be good to land.

[muffins]

We've already got a helper function for converting a FILETIME to a unix timestamp here, mind using that? You'll also need to import <osquery/filesystem/fileops.h>

[puffyCid]

switched to helper function

[muffins]

nit: you declare std::string and std::size_t and others quite a bit, could these be auto?

[puffyCid]

switched to auto

[muffins]

It seems to me like you could bring the function call on line 168 to get the count value inside of your else condition. If the time_str == "", then we should avoid making the call to execution_num.

[puffyCid]

moved function

[puffyCid]

Thanks for writing this table, this is gunna be super nifty to have! I had a couple of notes, but overall it's looking good. Just a few small changes and I think we'll be good to land.

thanks for the review, changes should be applied
let me know if there are any issues

[puffyCid]

@muffins I believe all issues should be resolved. Once this gets accepted I can quickly fix and address #5831
If there are any other issues, just let me know I can try to fix them

[muffins]

This lgtm, I think we're good to merge. I'll leave this for a bit so others have a chance to look it over, but I think we're alright. Thanks for your work on this!

[woodruffw]

N.B.: UserAssist aren't guaranteed to be ROT-13 encoded. If NoEncrypt is a DWORD of value 1 under the UserAssist registry key, the values are saved in plain text.

I'm not sure how common that is, though, so it might just be worth adding as a NOTE or TODO for the future in case someone runs into it.

[puffyCid]

Thats true if NoEncrypt is added to the Userassist key ROT13 would be turned off (though i tried adding that DWORD to my Windows 10 VM and it was still ROT13 encoding the values, but i may have doing something wrong). I think even if ROT13 is turned off, the existing values would still be encoded. So it would be easy to check to see if the NoEncrypt is set to 1. But I think it would be difficult to determine which data is ROT13 encoded and which is not?

Regardless ive never seen that added to any of the Windows systems ive looked at.

I can add NOTE/comment though mentioning the NoEncrypt setting