Hi there.
I want to read User Assist registry key (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist) complete (with subkeys) and display all the info inside.
This key gives you information about all the applications, webpages, searches, and some more info that where executed in your machine.
It's like a history but it doesn't blank.

The problem with it is the reg_binary key type.
The reg_binary field of that registry key gives you the date, session and number of times that the "Data" field was executed.
Example:
Name Type Data
HRZR_EHACVQY Reg_binary 07 00 00 00 06 00 00 00 A0 36 D0 05 67 E6 C7 01

Name field is rot-13 encoded and the data have the following information:
07 is the session id
06 is the number of times that "name field" happend
and the chain "A0 36 D0 05 67 E6 C7 01" is the date in timestamp format.
Now.
I have these script

Param($Filter=".*",$Srv=$env:computerName,$regpath="Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist")
FunctionCheck-RegKeys
{
Param($regkey,$Server)
$ServerKey= [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("CurrentUser", $Server)
$SubKey=$ServerKey.OpenSubKey($regkey,$false)
If(!($SubKey)){Return}
$SubKeyValues=$SubKey.GetValueNames()
if($SubKeyValues)
{
$Index= 0
foreach($SubKeyValuein$SubKeyValues)
{
$Index=$Index+ 1
$Key= @{n="Key";e={$SubKey.Name -replace"HKEY_LOCAL_MACHINE\\",""}}
$ValueName= @{n="ValueName";e={$SubKeyValue}}
$Value= @{n="Value";e={$_}}
$DecryptedValue= Decrypt($SubKeyValue)
$SubKey.GetValue($SubKeyValue) | ?{$_-match$filter} | Select-Object$Key,{$DecryptedValue},$Value
#| out-file -Append -filePath "D:\Documents and Settings\u189978\Desktop\Salida.txt" -NoClobber -Width 500

#$Key = @{n="Key";e={$SubKey.Name -replace "HKEY_LOCAL_MACHINE\\",""}}
#$ValueName = @{n="ValueName";e={$SubKeyValue}}
#$Value = @{n="Value";e={$_}}
#$SubKey.GetValue($SubKeyValue) | ?{$_ -match $filter} | Select-Object $Key,$ValueName,$Value

##$DecryptedValue = Decrypt($ValueName)
##$SubKey.GetValue($SubKeyValue) | ?{$_ -match $filter} | Select-Object $Key,$DecryptedValue,$Value
}
}
$SubKeyName=$SubKey.GetSubKeyNames()
foreach($subkeyin$SubKeyName)
{
$SubKeyName="$regkey\$subkey"
Check-RegKeys$SubKeyName
}
}
FunctionDecrypt([string]$strinput)
{
$salida=""
$n= 13
For ($i= 0;$i-lt$strInput.length;$i++){
$k= [byte][char]($strInput.substring($i,1))
if ($k-ge 97 -and$k-le 109){$k=$k+ 13} else {
if ($k-ge 110 -and$k-le 122){$k=$k- 13} else {
if ($k-ge 65 -and$k-le 77){$k=$k+ 13} else {
if ($k-gt 78 -and$k-le 90){$k=$k -13}}}}
$salida=$salida+ [char]$k
}
Return$salida.PadRight(30)
}
Check-RegKeys$regPath$Srv 2>$null