MUICache

Per user GUI-based execution, in no order.

MUICache Blog

Forensic Analysis of MUICache Files in WindowsMagnet Forensics

Location:

• HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Parsing Data

#No need to parse data, easy to read with reg explorer.

Considerations

• PER user execution because it is in HKCU.

• No timestamps of execution.

• No MRU lists.

• Two values populated first time GUI-based app is executed.

• Contains all drives (network, secondary drive, USB).

• Pulls versioninfo meta data of PE file.

  • ApplicationCompany

  • FriendlyAppName

Anti-Forensics