Did It Execute? MUI Cache (Shellbag)

What is the MUI Cache.... What are Shellbags

Have you noticed when you open an application GUI using Windows, Windows seems to remember where the windows were, well it stores a bit more than that for this purpose, all of which is useful in an investigation.

Location of Data: 


 Shellbags may be found in a few locations, depending on operating system version and user profile. On a Windows XP system, shellbags may be found under:
  • HKEY\_USERS\{USERID}\Software\Microsoft\Windows\Shell\
  • HKEY\_USERS\{USERID}\Software\Microsoft\Windows\ShellNoRoam\
  • The NTUser.dat hive file persists the Registry key HKEY\_USERS\{USERID}\.


 On a Windows 7 system, shellbags may be found under:
  • HEKY\_USERS\{USERID}\Local Settings\Software\Microsoft\Windows\Shell\
  • The UsrClass.dat hive file persists the registry key HKEY\_USERS\{USERID}\.


Reference:


http://www.williballenthin.com/forensics/shellbags/

Comments

Post a Comment

Popular posts from this blog

Did It Execute? AppCompatCache

Image
Application Compatability(or Shim) Cache The Application Compatibility Cache, which appears to be more commonly referred to as the ShimCache, is used by an element of windows dedicated to, yes you guessed it Application Compatibility. The basics concept of this feature is; when programs are written, they are usually compiled to work with the OS of the day. So as long as everything is as expected, the program runs, calls API's and the OS plays nice (round pegs in round holes). As you can imagine only a clairvoyant would know what changes were to be made in the future, and thus makes the likelihood of any programs being able to future proof themselves highly unlikely. The other problem that exists; is that current programs would be created with excess code to ensure they work on all other previous version. These both lead to the problem of the square peg to a round hole. Microsoft solved this problem for us, as they know what an API is calling and the differences be
Read more

PowerShell FILETIME conversion

I intend to write about the uses of PowerShell on live systems investigations at a later date, for now thought I thought it worth sharing a useful time conversion. If you come across a windows FILETIME and would like it in a human readable format, you can use the following via PowerShell: [DateTime]::FromFileTime(<FILETIME>) The Windows FILETIME is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). e.g. PS C:\> [DateTime]::FromFileTime(130689408926752346) 20 February 2015 21:21:32
Read more

Did It Execute? amcahce.hve

amcache.hve? I first came across this when looking into the AppCompatCache, as this file is located in a directory which you would think stores the AppCompatCache Data: <DRIVE>\Windows\AppCompat\Programs\Amcache.hve When researching the Windows Application Comparability however, I found no reference of this hive. Further research indicates it is part of Windows Application Experience and Compatibility features and replaced the RecentFilceCache.bcf file from Windows 8 onwards. Tools: https://github.com/EricZimmerman/AmcacheParser Reference: https://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html
Read more