# MUI Cache

### **Overview:**

* **Purpose**: Stores display names of applications for the Windows user interface.
* **Registry Location**:
  * `HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache`
* **Data Stored**:
  * Application paths and user-friendly names.

### **Benefits for DFIR:**

* **User Intent**: Helps identify applications a user interacted with.
* **Verification of Execution**: Provides indirect evidence of application usage
* **Executable Names and Paths:** Stores the names and paths of recently accessed executable files, helping to track program usage.
* **Localization:** Provides localized names for programs, useful in environments with multiple languages.
* **Timestamp Information:** Can sometimes offer insights into when a program was last accessed.

### **How It Works:**

* Updates when new applications are executed and their display names are registered.

### **Tools:**

* **Registry Explorer**: Enables analysis of the MUI cache for patterns.
* **Regripper**: Automates MUI cache extraction and parsing

for example :&#x20;

<figure><img src="/files/HTxC4vEgqYtgtu9HRas0" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/5ShqR02E1ms90P8zFdoA" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://mahmoud-shaker.gitbook.io/dfir-notes/mui-cache.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.