Registry: MUICache

Posted by:  /  Tags: , ,

Author Name

Artifact Name

Artifact/Program Version

According to, “each time that you start using a new application, Windows operating system automatically extract the application name from the version resource of the exe file, and stores it for using it later, in Registry key known as the ‘MuiCache’.”

This key is similar to the UserAssist key in that it shows you programs that have been run on the system. This key is useful when looking for evidence of malware, virtualization, or “evidence cleaning” programs.

Please see the additional description from “Windows Forensic Analysis” in the first Research Link.

Registry Keys
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Research Links
Google Book Preview – Windows Forensic Analysis

Forensic Programs of Use

Related Posts

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment