{"id":311,"date":"2025-09-11T05:25:46","date_gmt":"2025-09-11T05:25:46","guid":{"rendered":"http:\/\/www.yudi001.cn\/wordpress\/?p=311"},"modified":"2025-09-11T05:26:41","modified_gmt":"2025-09-11T05:26:41","slug":"windows-userassist-keys","status":"publish","type":"post","link":"http:\/\/www.yudi001.cn\/wordpress\/?p=311","title":{"rendered":"Windows-userassist-keys"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Windows\u4e0b\u6ce8\u518c\u8868Userassist\u952e\u503c\u53d6\u8bc1\u5206\u6790<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Contents<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Description\" target=\"_blank\" rel=\"noreferrer noopener\">1Description<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Registry_keys\" target=\"_blank\" rel=\"noreferrer noopener\">2Registry keys<\/a>\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Keys\" target=\"_blank\" rel=\"noreferrer noopener\">2.1Keys<\/a>\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Location\" target=\"_blank\" rel=\"noreferrer noopener\">2.1.1Location<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#GUID_for_Windows_XP\" target=\"_blank\" rel=\"noreferrer noopener\">2.1.2GUID for Windows XP<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#GUID_for_Windows_7\" target=\"_blank\" rel=\"noreferrer noopener\">2.1.3GUID for Windows 7<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Decoding_keys\" target=\"_blank\" rel=\"noreferrer noopener\">2.2Decoding keys<\/a>\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Decode_names\" target=\"_blank\" rel=\"noreferrer noopener\">2.2.1Decode names<\/a>\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#ROT_13_encoding\" target=\"_blank\" rel=\"noreferrer noopener\">2.2.1.1ROT 13 encoding<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Windows_XP\" target=\"_blank\" rel=\"noreferrer noopener\">2.2.1.2Windows XP<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Windows_7\" target=\"_blank\" rel=\"noreferrer noopener\">2.2.1.3Windows 7<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Decode_values\" target=\"_blank\" rel=\"noreferrer noopener\">2.2.2Decode values<\/a>\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Binary_data\" target=\"_blank\" rel=\"noreferrer noopener\">2.2.2.1Binary data<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Windows_XP_2\" target=\"_blank\" rel=\"noreferrer noopener\">2.2.2.2Windows XP<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Windows_7_2\" target=\"_blank\" rel=\"noreferrer noopener\">2.2.2.3Windows 7<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Tools\" target=\"_blank\" rel=\"noreferrer noopener\">3Tools<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Appendicies\" target=\"_blank\" rel=\"noreferrer noopener\">4Appendicies<\/a>\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Translation_of_directories\" target=\"_blank\" rel=\"noreferrer noopener\">4.1Translation of directories<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Prevent_logging_and.2For_ROT13_encoding\" target=\"_blank\" rel=\"noreferrer noopener\">4.2Prevent logging and\/or ROT13 encoding<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Comments\" target=\"_blank\" rel=\"noreferrer noopener\">5Comments<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Description<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Windows systems maintain a set of keys in the registry database (UserAssist keys) to keep track of programs that executed. The number of executions and last execution date and time are available in these keys.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The information within the binary UserAssist values contains only statistical data on the applications launched by the user via Windows Explorer. Programs launched via the command\u00adline (cmd.exe) do not appear in these registry keys.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">From a forensics perspective, being able to decode this information can be very useful.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Registry keys<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Keys<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Location<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Userassist registry keys are saved in following locations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>HKEY_USERS\\{SID}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{GUID}\\Count\\<\/li>\n\n\n\n<li>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{GUID}\\Count\\<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">GUID for Windows XP<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>{75048700-EF1F-11D0-9888-006097DEACF9}<\/li>\n\n\n\n<li>{5E6AB780-7743-11CF-A12B-00AA004AE837}<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">GUID for Windows 7<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}<\/li>\n\n\n\n<li>{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Decoding keys<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Decode names<\/h4>\n\n\n\n<h5 class=\"wp-block-heading\">ROT 13 encoding<\/h5>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Names are ROT13 encoded:&nbsp;<a href=\"http:\/\/en.wikipedia.org\/wiki\/ROT13\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/en.wikipedia.org\/wiki\/ROT13<\/a><\/li>\n\n\n\n<li>Notice that both logging and encoding can be prevented (refer to&nbsp;<a href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Prevent_logging_and.2For_ROT13_encoding\" target=\"_blank\" rel=\"noreferrer noopener\">annex #2<\/a>).<\/li>\n<\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">Windows XP<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">Key names associated to userassist keys are ROT13 encoded:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a class=\"image\" href=\"http:\/\/www.aldeid.com\/wiki\/File:Userassist-windows-xp-rot13.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img decoding=\"async\" src=\"https:\/\/i-blog.csdnimg.cn\/blog_migrate\/8bf4b37040809744727e1cec18e80524.png\" alt=\"Userassist-windows-xp-rot13.png\"\/><\/a><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">It&#8217;s easy to decode the names:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&gt;&gt;&gt; <strong>s = \"HRZR_EHACNGU:P:\\Qbphzragf naq Frggvatf\\haxabja\\Ohernh\\argjbex-gnfxznantre.rkr\"<\/strong>\n&gt;&gt;&gt; <strong>s.decode(\"rot13\")<\/strong>\nu'UEME_RUNPATH:C:\\\\Documents and Settings\\\\unknown\\\\Bureau\\x07etwork-taskmanager.exe'\n<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Below is the explanation of common paths (seen&nbsp;<a target=\"_blank\" rel=\"noreferrer noopener\" href=\"http:\/\/intotheboxes.files.wordpress.com\/2010\/04\/intotheboxes_2010_q1.pdf\">here<\/a>):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>UEME_CTLSESSION: This entry is for the session ID, it doesn&#8217;t hold data about executed programs<\/li>\n\n\n\n<li>UEME_UIQCUT: Counts the programs launched via a Quick Launch menu shortcut<\/li>\n\n\n\n<li>UEME_UISCUT: Counts the programs launched via a Desktop shortcut<\/li>\n\n\n\n<li>UEME_RUNCPL: This entry keeps data about executed control applets (.cpl)<\/li>\n\n\n\n<li>UEME_RUNPATH: This entry keeps data about executed programs<\/li>\n\n\n\n<li>UEME_RUNPIDL: This entry keeps data about executed PIDLs<\/li>\n\n\n\n<li>UEME_UITOOLBAR: This entry keeps data about clicks on the Windows Explorer Toolbar buttons<\/li>\n<\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">Windows 7<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">As for Windows XP, names are ROT13 encoded:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a class=\"image\" href=\"http:\/\/www.aldeid.com\/wiki\/File:Windows-userassist-keys-001.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img decoding=\"async\" src=\"https:\/\/i-blog.csdnimg.cn\/blog_migrate\/a99a7083f2513c20cf8429e3f0fb9132.png\" alt=\"Windows-userassist-keys-001.png\"\/><\/a><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">It&#8217;s easy to decode them in python:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&gt;&gt;&gt; <strong>s = \"\\\\iobkfei\\gzc\\QPbqr.rkr\"<\/strong>\n&gt;&gt;&gt; <strong>s.decode(\"rot13\")<\/strong>\nu'\\\\vboxsrv\\\\tmp\\\\DCode.exe'\n<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">&gt;&gt;&gt; <strong>s = \"{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\\Benpyr\\IveghnyObk Thrfg Nqqvgvbaf\\IObkQeiVafg.rkr\"<\/strong>\n&gt;&gt;&gt; <strong>s.decode(\"rot13\")<\/strong>\nu'{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\\\Oracle\\\\VirtualBox Guest Additions\\\\VB\n<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Notice that Windows 7 uses special paths that need to be converted (refer to&nbsp;<a target=\"_blank\" href=\"http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Translation_of_directories\" rel=\"noreferrer noopener\">annex #1<\/a>).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The path&nbsp;{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}&nbsp;is translated to&nbsp;%ProgramFiles%&nbsp;and the full path becomes:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">%ProgramFiles%\\Oracle\\VirtualBox Guest Additions\\VB\n<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Decode values<\/h4>\n\n\n\n<h5 class=\"wp-block-heading\">Binary data<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">Binary values contained in each of these keys provide information close to the one provided by<a target=\"_blank\" href=\"http:\/\/www.aldeid.com\/wiki\/Windows-prefetch-files\" rel=\"noreferrer noopener\">Windows prefetch files<\/a>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>number of executions<\/li>\n\n\n\n<li>focus time<\/li>\n\n\n\n<li>last execution date and time<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The information contained in the keys depend on the versions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NT4, 95, 98: 8 bytes<\/li>\n\n\n\n<li>2000, ME, XP: 16 bytes<\/li>\n\n\n\n<li>Vista, 7, 2008, 8: 72 bytes<\/li>\n<\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">Windows XP<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">As an example, let&#8217;s decode the value associated to following key:&nbsp;HRZR_EHACNGU:P:\\\\Qbphzragf naq Frggvatf\\\\haxabja\\\\Ohernh\\\\bffrp-ntrag-jva32-2.6.rkr&nbsp;(orUEME_RUNPATH:C:\\Documents and Settings\\unknown\\Bureau\\ossec-agent-win32-2.6.exe&nbsp;once decoded). Here is the binary value associated to the key:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">0000 | 3D 00 00 00 06 00 00 00\n0008 | B0 29 1C 28 17 38 CD 01\n<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Following information is available:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Session ID: unsigned int, 4 bytes<\/li>\n\n\n\n<li>counter: unsigned int, 4 bytes<\/li>\n\n\n\n<li>date time stamp: unsigned long long, 8 bytes<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Here is how we could decrypt this binary string in python:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&gt;&gt;&gt; <strong>from struct import unpack<\/strong>\n&gt;&gt;&gt; <strong>data = \"\\x3D\\x00\\x00\\x00\\x06\\x00\\x00\\x00\"<\/strong>\n&gt;&gt;&gt; <strong>data+= \"\\xB0\\x29\\x1C\\x28\\x17\\x38\\xCD\\x01\"<\/strong>\n&gt;&gt;&gt; <strong>len(data)<\/strong>\n16\n&gt;&gt;&gt; <strong>unpack('IIQ', data)<\/strong>\n(61, 6, 129821636371950000L)\n<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">It provides us with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Session ID: 61 (3d000000)<\/li>\n\n\n\n<li>Counter: 1 (06000000). We actually have to substract 5 to the value as the counter starts at 5<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">To convert the date time stamp, let&#8217;s use this function (found&nbsp;<a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/code.google.com\/p\/registrydecoder\/source\/browse\/branches\/RD2.0\/registrydecoder\/templates\/template_files\/user_assist.py?spec=svn131&amp;r=109\">here<\/a>):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&gt;&gt;&gt; <strong>from datetime import datetime<\/strong>\n&gt;&gt;&gt; <strong>def convert_windate(windate):<\/strong>\n... <strong>    # Converts 8-byte Windows DateTime stamps to Unix one<\/strong>\n... <strong>    date_format = '%Y\/%m\/%d&nbsp;%H:%M:%S UTC' <\/strong>\n... <strong>    no_nano = windate\/10000000 # 10000000 - 100 nanosecond intervals in windows timestamp, remove them to get to seconds since windows epoch<\/strong>\n... <strong>    unix = no_nano - 11644473600 # number of seconds between 1\/1\/1601 and 1\/1\/1970<\/strong>\n... <strong>    return datetime.fromtimestamp(int(unix)).strftime(date_format)<\/strong>\n... \n&gt;&gt;&gt; <strong>convert_windate(129821636371950000)<\/strong>\n'2012\/05\/22 14:33:57 UTC'\n<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now we also know when the program was last run:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Last run: 2012\/05\/22 14:33:57 UTC (b0291c281738cd01)<\/li>\n<\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">Windows 7<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">Given following key:&nbsp;{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\\pnyp.rkr&nbsp;(%windir%\\system32\\calc.exe&nbsp;once fully decoded). It has following binary value:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">0000 | 00 00 00 00 11 00 00 00\n0008 | 00 00 00 00 CC 42 0E 00\n0010 | 00 00 80 BF 00 00 80 BF\n0018 | 00 00 80 BF 00 00 80 BF\n0020 | 00 00 80 BF 00 00 80 BF\n0028 | 00 00 80 BF 00 00 80 BF\n0030 | 00 00 80 BF 00 00 80 BF\n0038 | FF FF FF FF C0 D0 66 17\n0040 | D5 32 CE 01 00 00 00 00\n<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Following information is available:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Number of executions<\/li>\n\n\n\n<li>Focus count?<\/li>\n\n\n\n<li>Focus time<\/li>\n\n\n\n<li>Last execution<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s decode the information in python:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&gt;&gt;&gt; <strong>data = \"\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\"<\/strong>\n&gt;&gt;&gt; <strong>data+= \"\\x00\\x00\\x00\\x00\\xCC\\x42\\x0E\\x00\"<\/strong>\n&gt;&gt;&gt; <strong>data+= \"\\x00\\x00\\x80\\xBF\\x00\\x00\\x80\\xBF\"<\/strong>\n&gt;&gt;&gt; <strong>data+= \"\\x00\\x00\\x80\\xBF\\x00\\x00\\x80\\xBF\"<\/strong>\n&gt;&gt;&gt; <strong>data+= \"\\x00\\x00\\x80\\xBF\\x00\\x00\\x80\\xBF\"<\/strong>\n&gt;&gt;&gt; <strong>data+= \"\\x00\\x00\\x80\\xBF\\x00\\x00\\x80\\xBF\"<\/strong>\n&gt;&gt;&gt; <strong>data+= \"\\x00\\x00\\x80\\xBF\\x00\\x00\\x80\\xBF\"<\/strong>\n&gt;&gt;&gt; <strong>data+= \"\\xFF\\xFF\\xFF\\xFF\\xC0\\xD0\\x66\\x17\"<\/strong>\n&gt;&gt;&gt; <strong>data+= \"\\xD5\\x32\\xCE\\x01\\x00\\x00\\x00\\x00\"<\/strong>\n&gt;&gt;&gt; <strong>unpack(\"I\", data[4:8]) # runcount<\/strong>\n(17,)\n&gt;&gt;&gt; <strong>unpack(\"I\", data[12:16]) # focus time<\/strong>\n(934604,)\n&gt;&gt;&gt; <strong>unpack(\"Q\", data[60:68]) # datetime<\/strong>\n(130097330042360000L,)\n&gt;&gt;&gt; <strong>convert_windate(130097330042360000)<\/strong>\n'2013\/04\/06 16:43:24 UTC'\n<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">It provides us with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Number of executions: 17<\/li>\n\n\n\n<li>Focus time: 934604<\/li>\n\n\n\n<li>Last run: 2013\/04\/06 16:43:24 UTC<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Tools<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>From&nbsp;<a href=\"http:\/\/www.aldeid.com\/wiki\/Volatility\" target=\"_blank\" rel=\"noreferrer noopener\">Volatility<\/a>:&nbsp;<a href=\"http:\/\/www.aldeid.com\/wiki\/Volatility#userassist\" target=\"_blank\" rel=\"noreferrer noopener\">userassist plugin<\/a><\/li>\n\n\n\n<li>Didier Stevens has written a nice tool to show userassist keys:&nbsp;<a href=\"http:\/\/www.aldeid.com\/wiki\/UserAssist\" target=\"_blank\" rel=\"noreferrer noopener\">UserAssist<\/a>.<\/li>\n\n\n\n<li><a href=\"http:\/\/www.aldeid.com\/wiki\/UserAssistView\" target=\"_blank\" rel=\"noreferrer noopener\">UserAssistView<\/a>&nbsp;(Nirsoft)<\/li>\n\n\n\n<li>RegistryDecoder project:&nbsp;<a href=\"https:\/\/code.google.com\/p\/registrydecoder\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/code.google.com\/p\/registrydecoder\/<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Appendicies<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Translation of directories<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th>Key<\/th><th>Translation<\/th><\/tr><tr><td>{de61d971-5ebc-4f02-a3a9-6c82895e5c04}<\/td><td>Add or Remove Programs (Control Panel)<\/td><\/tr><tr><td>{724EF170-A42D-4FEF-9F26-B60E846FBA4F}<\/td><td>%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools<\/td><\/tr><tr><td>{a305ce99-f527-492b-8b1a-7e76fa98d6e4}<\/td><td>Installed Updates<\/td><\/tr><tr><td>{9E52AB10-F80D-49DF-ACB8-4330F5687855}<\/td><td>%LOCALAPPDATA%\\Microsoft\\Windows\\Burn\\Burn<\/td><\/tr><tr><td>{df7266ac-9274-4867-8d55-3bd661de872d}<\/td><td>Programs and Features<\/td><\/tr><tr><td>{D0384E7D-BAC3-4797-8F14-CBA229B392B5}<\/td><td>%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools<\/td><\/tr><tr><td>{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}<\/td><td>%ALLUSERSPROFILE%\\OEM Links<\/td><\/tr><tr><td>{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}<\/td><td>%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs<\/td><\/tr><tr><td>{A4115719-D62E-491D-AA7C-E74B8BE3B067}<\/td><td>%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu<\/td><\/tr><tr><td>{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}<\/td><td>%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp<\/td><\/tr><tr><td>{B94237E7-57AC-4347-9151-B08C6C32D1F7}<\/td><td>%ALLUSERSPROFILE%\\Microsoft\\Windows\\Templates<\/td><\/tr><tr><td>{0AC0837C-BBF8-452A-850D-79D08E667CA7}<\/td><td>(My) Computer<\/td><\/tr><tr><td>{4bfefb45-347d-4006-a5be-ac0cb0567192}<\/td><td>Conflicts<\/td><\/tr><tr><td>{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}<\/td><td>Network Connections<\/td><\/tr><tr><td>{56784854-C6CB-462b-8169-88E350ACB882}<\/td><td>%USERPROFILE%\\Contacts<\/td><\/tr><tr><td>{82A74AEB-AEB4-465C-A014-D097EE346D63}<\/td><td>Control Panel<\/td><\/tr><tr><td>{2B0F765D-C0E9-4171-908E-08A611B84FF6}<\/td><td>%APPDATA%\\Microsoft\\Windows\\Cookies<\/td><\/tr><tr><td>{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}<\/td><td>Desktop<\/td><\/tr><tr><td>{5CE4A5E9-E4EB-479D-B89F-130C02886155}<\/td><td>%ALLUSERSPROFILE%\\Microsoft\\Windows\\DeviceMetadataStore<\/td><\/tr><tr><td>{7B0DB17D-9CD2-4A93-9733-46CC89022E7C}<\/td><td>%APPDATA%\\Microsoft\\Windows\\Libraries\\Documents.library-ms<\/td><\/tr><tr><td>{374DE290-123F-4565-9164-39C4925E467B}<\/td><td>%USERPROFILE%\\Downloads<\/td><\/tr><tr><td>{1777F761-68AD-4D8A-87BD-30B759FA33DD}<\/td><td>%USERPROFILE%\\Favorites<\/td><\/tr><tr><td>{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}<\/td><td>%windir%\\Fonts<\/td><\/tr><tr><td>{CAC52C1A-B53D-4edc-92D7-6B2E8AC19434}<\/td><td>Games<\/td><\/tr><tr><td>{054FAE61-4DD8-4787-80B6-090220C4B700}<\/td><td>GameExplorer<\/td><\/tr><tr><td>{D9DC8A3B-B784-432E-A781-5A1130A75963}<\/td><td>%LOCALAPPDATA%\\Microsoft\\Windows\\History<\/td><\/tr><tr><td>{52528A6B-B9E3-4ADD-B60D-588C2DBA842D}<\/td><td>Homegroup<\/td><\/tr><tr><td>{BCB5256F-79F6-4CEE-B725-DC34E402FD46}<\/td><td>%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts<\/td><\/tr><tr><td>{352481E8-33BE-4251-BA85-6007CAEDCF9D}<\/td><td>%LOCALAPPDATA%\\Microsoft\\Windows\\Temporary Internet Files<\/td><\/tr><tr><td>{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}<\/td><td>The Internet<\/td><\/tr><tr><td>{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}<\/td><td>%APPDATA%\\Microsoft\\Windows\\Libraries<\/td><\/tr><tr><td>{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}<\/td><td>%USERPROFILE%\\Links<\/td><\/tr><tr><td>{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}<\/td><td>%LOCALAPPDATA% (%USERPROFILE%\\AppData\\Local)<\/td><\/tr><tr><td>{A520A1A4-1780-4FF6-BD18-167343C5AF16}<\/td><td>%USERPROFILE%\\AppData\\LocalLow<\/td><\/tr><tr><td>{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}<\/td><td>%windir%\\resources\\0409 (code page)<\/td><\/tr><tr><td>{4BD8D571-6D19-48D3-BE97-422220080E43}<\/td><td>%USERPROFILE%\\Music<\/td><\/tr><tr><td>{2112AB0A-C86A-4FFE-A368-0DE96E47012E}<\/td><td>%APPDATA%\\Microsoft\\Windows\\Libraries\\Music.library-ms<\/td><\/tr><tr><td>{C5ABBF53-E17F-4121-8900-86626FC2C973}<\/td><td>%APPDATA%\\Microsoft\\Windows\\Network Shortcuts<\/td><\/tr><tr><td>{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}<\/td><td>Network<\/td><\/tr><tr><td>{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}<\/td><td>%LOCALAPPDATA%\\Microsoft\\Windows Photo Gallery\\Original Images<\/td><\/tr><tr><td>{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}<\/td><td>%USERPROFILE%\\Pictures\\Slide Shows<\/td><\/tr><tr><td>{A990AE9F-A03B-4E80-94BC-9912D7504104}<\/td><td>%APPDATA%\\Microsoft\\Windows\\Libraries\\Pictures.library-ms<\/td><\/tr><tr><td>{33E28130-4E1E-4676-835A-98395C3BC3BB}<\/td><td>%USERPROFILE%\\Pictures<\/td><\/tr><tr><td>{DE92C1C7-837F-4F69-A3BB-86E631204A23}<\/td><td>%USERPROFILE%\\Music\\Playlists<\/td><\/tr><tr><td>{76FC4E2D-D6AD-4519-A663-37BD56068185}<\/td><td>Printers<\/td><\/tr><tr><td>{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}<\/td><td>%APPDATA%\\Microsoft\\Windows\\Printer Shortcuts<\/td><\/tr><tr><td>{5E6C858F-0E22-4760-9AFE-EA3317B67173}<\/td><td>%USERPROFILE% (%SystemDrive%\\Users\\%USERNAME%)<\/td><\/tr><tr><td>{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}<\/td><td>%ALLUSERSPROFILE% (%ProgramData%,&nbsp;%SystemDrive%\\ProgramData)<\/td><\/tr><tr><td>{905e63b6-c1bf-494e-b29c-65b732d3d21a}<\/td><td>%ProgramFiles%<\/td><\/tr><tr><td>{6D809377-6AF0-444b-8957-A3773F02200E}<\/td><td>%ProgramFiles%<\/td><\/tr><tr><td>{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}<\/td><td>%ProgramFiles%<\/td><\/tr><tr><td>{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}<\/td><td>%ProgramFiles%\\Common Files<\/td><\/tr><tr><td>{6365D5A7-0F0D-45E5-87F6-0DA56B6A4F7D}<\/td><td>%ProgramFiles%\\Common Files<\/td><\/tr><tr><td>{DE974D24-D9C6-4D3E-BF91-F4455120B917}<\/td><td>%ProgramFiles%\\Common Files<\/td><\/tr><tr><td>{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}<\/td><td>%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs<\/td><\/tr><tr><td>{DFDF76A2-C82A-4D63-906A-5644AC457385}<\/td><td>%PUBLIC% (%SystemDrive%\\Users\\Public)<\/td><\/tr><tr><td>{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}<\/td><td>%PUBLIC%\\Desktop<\/td><\/tr><tr><td>{ED4824AF-DCE4-45A8-81E2-FC7965083634}<\/td><td>%PUBLIC%\\Documents<\/td><\/tr><tr><td>{3D644C9B-1FB8-4f30-9B45-F670235F79C0}<\/td><td>%PUBLIC%\\Downloads<\/td><\/tr><tr><td>{DEBF2536-E1A8-4c59-B6A2-414586476AEA}<\/td><td>%ALLUSERSPROFILE%\\Microsoft\\Windows\\GameExplorer<\/td><\/tr><tr><td>{48DAF80B-E6CF-4F4E-B800-0E69D84EE384}<\/td><td>%ALLUSERSPROFILE%\\Microsoft\\Windows\\Libraries<\/td><\/tr><tr><td>{3214FAB5-9757-4298-BB61-92A9DEAA44FF}<\/td><td>%PUBLIC%\\Music<\/td><\/tr><tr><td>{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}<\/td><td>%PUBLIC%\\Pictures<\/td><\/tr><tr><td>{E555AB60-153B-4D17-9F04-A5FE99FC15EC}<\/td><td>%ALLUSERSPROFILE%\\Microsoft\\Windows\\Ringtones<\/td><\/tr><tr><td>{2400183A-6185-49FB-A2D8-4A392A602BA3}<\/td><td>%PUBLIC%\\Videos<\/td><\/tr><tr><td>{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}<\/td><td>%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch<\/td><\/tr><tr><td>{AE50C081-EBD2-438A-8655-8A092E34987A}<\/td><td>%APPDATA%\\Microsoft\\Windows\\Recent<\/td><\/tr><tr><td>{1A6FDBA2-F42D-4358-A798-B74D745926C5}<\/td><td>%PUBLIC%\\RecordedTV.library-ms<\/td><\/tr><tr><td>{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}<\/td><td>Recycle Bin<\/td><\/tr><tr><td>{8AD10C31-2ADB-4296-A8F7-E4701232C972}<\/td><td>%windir%\\Resources<\/td><\/tr><tr><td>{C870044B-F49E-4126-A9C3-B52A1FF411E8}<\/td><td>%LOCALAPPDATA%\\Microsoft\\Windows\\Ringtones<\/td><\/tr><tr><td>{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}<\/td><td>%APPDATA% (%USERPROFILE%\\AppData\\Roaming)<\/td><\/tr><tr><td>{B250C668-F57D-4EE1-A63C-290EE7D1AA1F}<\/td><td>%PUBLIC%\\Music\\Sample Music<\/td><\/tr><tr><td>{C4900540-2379-4C75-844B-64E6FAF8716B}<\/td><td>%PUBLIC%\\Pictures\\Sample Pictures<\/td><\/tr><tr><td>{15CA69B3-30EE-49C1-ACE1-6B5EC372AFB5}<\/td><td>%PUBLIC%\\Music\\Sample Playlists<\/td><\/tr><tr><td>{859EAD94-2E85-48AD-A71A-0969CB56A6CD}<\/td><td>%PUBLIC%\\Videos\\Sample Videos<\/td><\/tr><tr><td>{4C5C32FF-BB9D-43b0-B5B4-2D72E54EAAA4}<\/td><td>%USERPROFILE%\\Saved Games<\/td><\/tr><tr><td>{7d1d3a04-debb-4115-95cf-2f29da2920da}<\/td><td>%USERPROFILE%\\Searches<\/td><\/tr><tr><td>{ee32e446-31ca-4aba-814f-a5ebd2fd6d5e}<\/td><td>Offline Files<\/td><\/tr><tr><td>{98ec0e18-2098-4d44-8644-66979315a281}<\/td><td>Microsoft Office Outlook<\/td><\/tr><tr><td>{190337d1-b8ca-4121-a639-6d472d16972a}<\/td><td>Search Results<\/td><\/tr><tr><td>{8983036C-27C0-404B-8F08-102D10DCFD74}<\/td><td>%APPDATA%\\Microsoft\\Windows\\SendTo<\/td><\/tr><tr><td>{7B396E54-9EC5-4300-BE0A-2482EBAE1A26}<\/td><td>%ProgramFiles%\\Windows Sidebar\\Gadgets<\/td><\/tr><tr><td>{A75D362E-50FC-4fb7-AC2C-A8BEAA314493}<\/td><td>%LOCALAPPDATA%\\Microsoft\\Windows Sidebar\\Gadgets<\/td><\/tr><tr><td>{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}<\/td><td>%APPDATA%\\Microsoft\\Windows\\Start Menu<\/td><\/tr><tr><td>{B97D20BB-F46A-4C97-BA10-5E3608430854}<\/td><td>%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp<\/td><\/tr><tr><td>{43668BF8-C14E-49B2-97C9-747784D784B7}<\/td><td>Sync Center<\/td><\/tr><tr><td>{289a9a43-be44-4057-a41b-587a76d7e7f9}<\/td><td>Sync Results<\/td><\/tr><tr><td>{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}<\/td><td>Sync Setup<\/td><\/tr><tr><td>{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}<\/td><td>%windir%\\system32<\/td><\/tr><tr><td>{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}<\/td><td>%windir%\\system32<\/td><\/tr><tr><td>{A63293E8-664E-48DB-A079-DF759E0509F7}<\/td><td>%APPDATA%\\Microsoft\\Windows\\Templates<\/td><\/tr><tr><td>{9E3995AB-1F9C-4F13-B827-48B24B6C7174}<\/td><td>%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned<\/td><\/tr><tr><td>{0762D272-C50A-4BB0-A382-697DCD729B80}<\/td><td>%SystemDrive%\\Users<\/td><\/tr><tr><td>{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}<\/td><td>%LOCALAPPDATA%\\Programs<\/td><\/tr><tr><td>{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}<\/td><td>%LOCALAPPDATA%\\Programs\\Common<\/td><\/tr><tr><td>{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}<\/td><td>The user&#8217;s full name<\/td><\/tr><tr><td>{A302545D-DEFF-464b-ABE8-61C8648D939B}<\/td><td>Libraries<\/td><\/tr><tr><td>{18989B1D-99B5-455B-841C-AB7C74E4DDFC}<\/td><td>%USERPROFILE%\\Videos<\/td><\/tr><tr><td>{491E922F-5643-4AF4-A7EB-4E7A138D8174}<\/td><td>%APPDATA%\\Microsoft\\Windows\\Libraries\\Videos.library-ms<\/td><\/tr><tr><td>{F38BF404-1D43-42F2-9305-67DE0B28FC23}<\/td><td>%windir%<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Prevent logging and\/or ROT13 encoding<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">It&#8217;s possible to prevent both the encoding and the logging:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Disable logging:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">C:\\&gt;<strong>regwrite, REG_DWORD, HKCU, Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\Settings, NoLog, 1<\/strong>\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Disable ROT13 encoding:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">C:\\&gt;<strong>regwrite, REG_DWORD, HKCU, Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\Settings, NoEncrypt, 1<\/strong>\n<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u53c2\u89c1\uff1a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">http:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">UserAssistView code \u8c37\u6b4c<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">=============================================<\/p>\n\n\n\n<pre id=\"best-content-143154006\" class=\"wp-block-preformatted\">softmare\\microsoft\\windows\\currentVersion\\explorer\\userassist\\{5E6AB780-7743-11CF-A12B-00AA004AE837}\\count \u662f\u8f6f\u4ef6\u4f7f\u7528\u7eaa\u5f55,\u6709\u70b9\u50cf\u64cd\u4f5c\u65e5\u5fd7,\u4f3c\u4e4e\u7ecf\u5e38\u4f1a\u88ab\u75c5\u6bd2\u548c\u6728\u9a6c\u7528\u5230,\u53ef\u4ee5\u7528\u8f6f\u4ef6\u6765\u6e05\u7406\u5b83\u7684\u952e\u503c\u9879\u6bd4\u8f83\u5b89\u5168\n\nHKEY_CURRENT_CONFIG\\Software\\Microsoft\\Windows\\CurrentVersion\\ Explorer\\TrayNotify\u201d\uff0c\u5176\u4e2d\u201cIconStreams\u201d\u9879\u5b58\u50a8\u7740\u201c\u5f53\u524d\u9879\u76ee\u201d\u800c\u201cPastIconsStream\u201d\u9879\u5b58\u50a8\u7740\u201c\u8fc7\u53bb\u7684\u9879\u76ee\u201d \n\n\u8fd9\u662f\u4efb\u52a1\u680f\u548c\u5f00\u59cb\u83dc\u5355\u680f\u4e2d\u9690\u85cf\u4e0d\u6d3b\u52a8\u56fe\u6807\u7684\u8fc7\u53bb\u9879\u76ee\u548c\u5f53\u524d\u9879\u76ee<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">http:\/\/zhidao.baidu.com\/link?url=84LrgAWbOOt6w9178HnRFqGjDVxBG9RfNolBLBwzhopHUh9UGqKzdN_9BZZ8KnIgXXQoJ_e595FMfQtXrycMa_<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Description<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">This utility decrypt and displays the list of all UserAssist entries storedunder HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist key in the Registry.The UserAssist key contains information about the exe files and links that you open frequently.you can save the list of UserAssist entries into text\/html\/xml\/csv file, as well as you can delete unwanted items.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">UserAssistview\u8fd9\u4e2a\u5de5\u5177\u89e3\u5bc6\u5e76\u663e\u793a\u50a8\u5b58\u5728\u6ce8\u518c\u8868\u4e2d\u7684 HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist \u6240\u6709\u7684\u4fe1\u606f .UserAssist \u952e\u4e3b\u8981\u5305\u542b\u4f60\u7ecf\u5e38\u6253\u5f00\u7684EXE\u6587\u4ef6\u4fe1\u606f\u548c\u94fe\u63a5\u3002\u4f60\u80fd\u5bfc\u51fa\u5217\u8868\uff0c\u5b58\u6210 text\/html\/xml\/csv \u6587\u4ef6\uff0c\u4f60\u4e5f\u53ef\u4ee5\u5220\u9664\u4e0d\u9700\u8981\u7684\u9879\u76ee\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">http:\/\/www.nirsoft.net\/utils\/userassist_view.html<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u53c2\u89c1\uff1a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ UserAssist \u767e\u5ea6<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">==================<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u7528\u4e8e\uff1a\u5e94\u7528\u7a0b\u5e8f\u8fd0\u884c\u8bb0\u5f55<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6765\u6e90:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/blog.csdn.net\/haiross\/article\/details\/45971625\">https:\/\/blog.csdn.net\/haiross\/article\/details\/45971625<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Prevent_logging_and.2For_ROT13_encoding\">https:\/\/www.aldeid.com\/wiki\/Windows-userassist-keys#Prevent_logging_and.2For_ROT13_encoding<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-311","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"http:\/\/www.yudi001.cn\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/311","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.yudi001.cn\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.yudi001.cn\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.yudi001.cn\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.yudi001.cn\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=311"}],"version-history":[{"count":2,"href":"http:\/\/www.yudi001.cn\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/311\/revisions"}],"predecessor-version":[{"id":313,"href":"http:\/\/www.yudi001.cn\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/311\/revisions\/313"}],"wp:attachment":[{"href":"http:\/\/www.yudi001.cn\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.yudi001.cn\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=311"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.yudi001.cn\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}