top of page
Search

Using RADAR and MUICache for Evidence of Execution in Windows

  • Feb 25
  • 4 min read
ree

MUICache (Evidence of Execution)

-------------------------------------------------------------------------------------------------------------


Power of MUICache in Digital Forensics

If you're into digital forensics, especially Windows forensic analysis, you've probably heard of MUICache.

But what exactly is it, and why does it matter?

In this article, I'll break it down in the simplest way possible while showing you how this artifact can be a game-changer in forensic investigations.


-------------------------------------------------------------------------------------------------------------


What is MUICache?

MUICache (Multilingual User Interface Cache) is a registry entry found in Windows that stores metadata about programs that have been executed on a system. Essentially, when an application runs, Windows keeps a record of its details, including its executable file name and user-friendly description.


This is valuable for forensic analysts because it provides historical evidence of program execution, even if traces of the executable have been deleted from the system.


-------------------------------------------------------------------------------------------------------------


Where Can You Find MUICache?

MUICache entries are typically stored in the Windows Registry at:

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

or

HKEY_USERS\<SID>\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Each user on the system will have a separate MUICache entry under their Security Identifier (SID). This means you can track program execution on a per-user basis!

ree

-------------------------------------------------------------------------------------------------------------


Why is MUICache Important in Forensics?

MUICache can provide critical insights during an investigation. Here's why:


  1. Evidence of Program Execution – If an attacker runs a malicious program and then deletes it, MUICache might still hold the name of the executable.

  2. Attribution to a Specific User – Since MUICache is stored per user, it can help link program execution to a specific account.

  3. Context for Incident Response – It helps analysts understand what software was used on a compromised system.

  4. Detection of Suspicious Applications – Unusual or unauthorized software in MUICache could be an indicator of compromise (IoC).


-------------------------------------------------------------------------------------------------------------


Limitations of MUICache

While it's a great forensic artifact, MUICache has a few limitations:

  • No Timestamps – Unlike Prefetch files, MUICache doesn’t store execution timestamps.

  • Doesn't Confirm Execution – MUICache may contain entries for programs that were only previewed in Explorer, not actually executed.

  • Easily Altered – Since it's stored in the registry, an attacker with admin access can clear or modify it.


-------------------------------------------------------------------------------------------------------------


How to Analyze MUICache

To extract and analyze MUICache entries, you can use forensic tools like:


  • RegRipper – A great open-source tool for pulling registry data.

  • Registry Explorer - Eric Zimmerman tool

  • FTK Imager – Allows viewing and exporting registry hives.

  • Velociraptor – A powerful tool for hunting and forensic analysis.


Example RegRipper command:
rip.exe -r NTUSER.DAT -p muicache

This will pull the MUICache entries from a user’s registry hive.


-------------------------------------------------------------------------------------------------------------


Real-World Example

Imagine a scenario where an attacker runs Mimikatz to dump credentials and then deletes it. Even if no Prefetch or event logs remain, MUICache might still reveal mimikatz.exe in the registry. That’s a red flag for forensic analysts!



-------------------------------------------------------------------------------------------------------------

Radar Heap Leak Detection (RADAR)(Evidence of Execution)

In digital forensics, identifying whether a program executed on a system is crucial. While well-known artifacts like Prefetch and MUICache exist, there's another lesser-known registry-based artifact that can help: Radar Heap Leak Detection.


This artifact, found in the Windows Registry, can provide evidence of execution, though it doesn't track every process.


What is Radar Heap Leak Detection?

Radar, short for Resource Exhaustion Detection and Resolution, is part of Windows' memory leak diagnostic system. It was introduced in Windows Vista to detect memory leaks, collect diagnostic data, and help resolve application issues.



Where to Find It in the Registry

This artifact is stored in the Windows Registry at the following location:

HKEY_LOCAL_MACHINE\Software\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications

Each application listed under this key indicates that it executed on the system at some point.

ree


How Does an Application Get Tracked Here?

Not all executed applications appear in this registry key.

An application ends up under DiagnosedApplications if it consumes a significant amount of system memory

  • On systems with 4GB RAM, the threshold is 5% or more of available memory.

  • On systems with 16GB RAM or more, the threshold is even lower.


Because of this memory usage condition, the presence of an application in this key is somewhat random—not all executed applications will appear here.



How to Determine Execution Time

Each application entry has two important time-related indicators:

  1. Last Detection Time

    • This timestamp updates within minutes of an application exceeding the memory threshold.

    • However, it does not indicate the exact time of execution.

  2. Last Write Timestamp

    • This is the most useful timestamp because it tells us when the registry subkey was last modified.

    • If an application appears in DiagnosedApplications, we can say it executed on or before this timestamp.


ree

Why is This Useful for Forensics?

While this artifact is not as reliable as Prefetch, it can still be valuable in investigations. But we can confirm that:


  • The application did execute on the system.

  • The execution happened on or before the last write timestamp.

  • This evidence can be combined with other artifacts like Prefetch, MUICache, or event logs to build a stronger case.


-------------------------------------------------------------------------------------------------------------

Importance on Windows Servers

Windows servers do not enable Prefetch by default, which makes Radar even more valuable as an execution artifact in server environments.

-------------------------------------------------------------------------------------------------------------


Conclusion

MUICache is a simple yet powerful forensic artifact that can help track program execution on a Windows machine. While it has some limitations, it remains a valuable piece of the puzzle in digital investigations. Another artifact Radar Heap Leak Detection is a lesser-known but potentially useful forensic artifact. While it won’t capture every executed application, its presence in forensic analysis can strengthen evidence collection. When combined with other artifacts, it provides another piece of the puzzle in identifying program execution on Windows systems.


Next time you're investigating execution artifacts, don’t forget to check DiagnosedApplications in the registry!

Stay tuned for more forensic insights! 🔍

---------------------------------------------------Dean--------------------------------------------


 
 
 

Comments

bottom of page