🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page
  • Key Insights
  • Overview
  • Analyzing The MUI Cache

Was this helpful?

  1. Windows Artifacts
  2. Program Execution

MUI Cache

The MUI Cache, a component of the Windows operating system, plays a crucial role in the localization and quick access of program names. It's a repository that holds details about the applications executed on the system, specifically the names of these applications, to support the display of these names in the user's preferred language. This artifact is particularly valuable in digital forensics and incident response (DFIR) for understanding program execution history on a Windows machine.

Key Insights

  • Location in the Registry:

    • Windows XP/2003: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache

    • Windows Vista and above: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

  • Windows 7 and above specific locations:

    • HKCU\Software\Microsoft\Windows\Shell\MuiCache

    • HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Entries within the MUI Cache include the full path to the executable and the application's name as it should appear in the UI. This information can assist in identifying which applications were executed and are therefore of interest in an investigation.

Overview

The MUI (Multilingual User Interface) Cache is stored within the Windows Registry, which contains entries for each executable (EXE) file that has been run on the system. These entries help Windows quickly display the correct name of an application in the user interface, catering to the system's set language preferences. For forensic analysts, the MUI Cache is a goldmine of information because it provides evidence of program execution, even if the actual executables are no longer present on the system.

The MUI Cache does not only store information about system applications but also about third-party software executed by the user. This makes it a valuable artifact for forensic analysts to determine the scope of software use on a suspect's computer. However, it's important to note that the MUI Cache gets updated frequently, and entries can be overwritten. Thus, its contents provide a snapshot of application usage rather than a comprehensive history.

Analyzing The MUI Cache

To analyze the MUI Cache from the command line, one can use Windows Registry command-line tools or third-party forensic tools that can export and analyze registry data. The command-line tool reg query can be used to access registry keys and their values directly from the command prompt.

Example Command to Access MUI Cache on Windows 10:

reg query HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

The output of this command will list the registry entries under the MUI Cache, showing the paths to executables and the associated application names.

  • Understanding the Outputs:

    • Executable Path: Indicates the location of the application executed. This can help identify unknown or suspicious programs.

    • Application Name: Provides the name of the application as displayed to the user, aiding in understanding the application's purpose or function.

PreviousRunMRUNextShimCache

Last updated 1 year ago

Was this helpful?