Investigating MUICache
10/11/2021 Wednesday
MUI stands for Multilingual User Interface. It is a technology that allows Windows systems to have a single application localized for multiple languages. Developers create an .MUI file for each language supported by the application and these files enable the user to switch the language. The MUI files generate the MUICache key in the registry. MUICache key contains information about the files that are executed on the system which the operating system extracts when a new application is used.
Digital Forensics Value of MUICache Artifact
MUICache artifact can provide useful information regarding applications and tools installed and run via a user account. This artifact may also provide an indication of malicious activities on the system; as the information within the MUICache key is maintained even if the malicious actor has deleted the applications from the device. In addition, if the values for an app were deleted from the key, they will reappear again the next time the user runs that application.
Location of MUICache Artifact
The path to the MuiCache key differs between Windows operating systems. On Windows 2000, Windows XP, Windows
Server 2003, the key is located within the NTUSER.dat hive at:
Software\Microsoft\Windows\ShellNoRoam\MUICache
Starting from Windows Vista, the key is located in the USRCLASS.dat hive in the following location:
Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Structure of MUICache Artifact
As demonstrated in the screenshot below, MuiCache key contains multiple values. For each value, the Name
field contains the path to the file executed and the Data field contains information about the executed file such
as the name of the application.
Analyzing MUICache Artifact with ArtiFast Windows
This section discusses how to use ArtiFast Windows to analyze MUICache artifact from Windows
machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifacts Selection phase,
you can select MUICache artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of MUICache artifact in ArtiFast Windows.
MUICache Artifact
- File Name - The name of the file that is executed.
- File Path - The path to the file that is executed.
- Data - Additional information about the file executed.
For more information or suggestions please contact: asmaa.elkhatib@forensafe.com
