dissect.target.plugins.os.windows.regf.muicache

Module Contents

Classes

MuiCachePlugin

Plugin that iterates various MUIcache locations.

Attributes

MuiCacheRecord

dissect.target.plugins.os.windows.regf.muicache.MuiCacheRecord

class dissect.target.plugins.os.windows.regf.muicache.MuiCachePlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

Plugin that iterates various MUIcache locations.

KEYS = ['HKCU\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache',...

FIELD_NAMES = ('FriendlyAppName', 'ApplicationCompany')

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

muicache() → MuiCacheRecord

Iterate various MUIcache key locations.

The MUIcache registry key stores information about executed GUI-based programs. The key is part of the Multilingual User Interface service in Windows. MUIcache references the file description contained within the executable’s resource section and populates that value.

References

• https://www.magnetforensics.com/blog/forensic-analysis-of-muicache-files-in-windows/

• https://forensafe.com/blogs/muicache.html

Yields MuiCacheRecords with fields:

hostname (string): The target hostname.
domain (string): The target domain.
index (varint): The index of the entry.
name (string): The value name.
value (string): The value.
path (path): The executable path.