MuiCache
NTUSER.DAT\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCacheWhen Windows first executes a binary, it reads the program's internal display name from the PE resource section and caches it here to avoid re-parsing the file on every launch. The entry persists indefinitely — long after the source executable is deleted — giving investigators both the full execution path and the binary's self-declared internal name.
Key Name
{Full path to executable}.FriendlyAppName — REG_SZ value containing the display name extracted from the PE resource
Trace Type
Execution
Hive
USRCLASS.DAT On modern Windows, MuiCache is located in USRCLASS.DAT at the same key path.
Last Write Time
Reflects when cached display name entries were last added or modified — useful for narrowing the first-execution window for new binaries.
User Specific
Yes Scoped to the user profile. Each account maintains its own independent MuiCache.
Forensic Value
- Prove execution post-deletion: MuiCache survives wipes of the source file. Cross-reference these paths with AppCompatFlags to see if custom compatibility layers were applied.
- Expose deceptive naming: The internal PE name often contradicts the filename. A binary named
update.exemight self-identify as a known RAT. - Establish first-launch timing: Cross-referencing MuiCache entries with Last Write Times approximates when a new binary was first run on this account.
For more Info check out these Articles: AppCompatFlags