Artifacts

Registry: MUICache

Posted by:  /  Tags: , ,

Author Name
Matt

Artifact Name
MUICache

Artifact/Program Version
Windows

Description
According to Nirsoft.net, “each time that you start using a new application, Windows operating system automatically extract the application name from the version resource of the exe file, and stores it for using it later, in Registry key known as the ‘MuiCache’.”

This key is similar to the UserAssist key in that it shows you programs that have been run on the system. This key is useful when looking for evidence of malware, virtualization, or “evidence cleaning” programs.

Please see the additional description from “Windows Forensic Analysis” in the first Research Link.

Registry Keys
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Research Links
- Google Book Preview – Windows Forensic Analysis
- http://windowsir.blogspot.com/2005/12/mystery-of-muicachesolved.html

Forensic Programs of Use
- http://www.nirsoft.net/utils/muicache_view.html
- http://regripper.net

Related Posts

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment