search

MUICache

Per user GUI-based execution, in no order.

LogoMUICache Blogforensafe.comchevron-right
LogoForensic Analysis of MUICache Files in WindowsMagnet Forensicschevron-right

Location:

  • HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

hashtag
Parsing Data

hashtag
Considerations

  • PER user execution because it is in HKCU.

  • No timestamps of execution.

  • No MRU lists.

  • Two values populated first time GUI-based app is executed.

  • Contains all drives (network, secondary drive, USB).

  • Pulls versioninfo meta data of PE file.

    • ApplicationCompany

    • FriendlyAppName

hashtag
Anti-Forensics

PreviousPCANextUserAssist

Last updated