I've been digging myself, and even asking questions of MS contacts…no one seems to know. I find a great number of entries on lists and in groups asking what MUICache is for, but no answers. I've even gone so far as to translate some Italian posts with Babel, only to find the same thing…questions, but no answers.
Harlan
MUICache contains the title of the window that will be displayed with a program or application will be run…..
For forensic purposes.. a person can easily rename an executable, but it is not likely they will rename the window title bar unless they break out a hex editor.
So for instance, a bad guy using Cain to sniff network traffic, renames cain to svchost.exe, a key will exist saying c\windows\system32\drivers\svchost.exe "Cain - Password Recovery Utility".
This also controls the name of certain shell objects, such as "@C\WINDOWS\system32\SHELL32.dll,-8964" which shows "Recycle Bin", if you edit this data and use "Bit Bucket", that will be displayed on your desktop instead of "Recycle Bin".
-lance-
Lance,
Would you happen to have a reference for that? I've done some looking and from what I've seen, it's not the title of the window that appears for EXEs…rather, it's the FileDescription taken from the version information in the resource section of the file.
Thanks,
Harlan
Lance,
Thanks for the pointer…I think I've found enough information to write this up and to do some testing.
Harlan
Harlan,
You are correct, but when a file does not have a File description (i..e batch file), it will then use the name of the file.
Lance,
Interesting. That's not what I'm seeing on the technical descriptions from some of the malware that's tested on XP systems. Instead, the value (ie, path to the executable image) is there, but the actual data is blank.
It seems that either the FileDescription is used, or another part of the file version information.
I don't see this being an issue with malware, per se, as the issues that have been posted about involve grouping of icons for multiple instances of the same program in the Taskbar.
However, what it does point out is behaviour inherent to XP that can be used by forensic analysts…if they understand it.
I'll have to get a Resource Editor and blank out the FileDescription field and see what happens.
Again, thanks for the pointer…I blogged on this, hopefully it'll get some discussion going.
Harlan
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
Here is an example of two different batch files, and their respective values.
Changing the FileDescription in the Resource Section DOES change the value that gets recorded in the MUICache key, if it has one, otherwise it appears to consistantly use the filename
-lance-
Lance,
Interesting…I hadn't looked at batch files yet. Batch files, by their very nature, don't have version information embedded in them.
Harlan
your killing me… 😉