MUICache

Per user GUI-based execution, in no order.

LogoMUICache Blog
LogoForensic Analysis of MUICache Files in WindowsMagnet Forensics

Location:

  • HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Parsing Data

#No need to parse data, easy to read with reg explorer.

Considerations

  • PER user execution because it is in HKCU.

  • No timestamps of execution.

  • No MRU lists.

  • Two values populated first time GUI-based app is executed.

  • Contains all drives (network, secondary drive, USB).

  • Pulls versioninfo meta data of PE file.

    • ApplicationCompany

    • FriendlyAppName

Anti-Forensics

PreviousPCANextUserAssist

Last updated