Artifact Analysis: UserAssist & MUIcache

Note

Executive Summary: Stored within the user’s NTUSER.DAT registry hive, UserAssist and MUIcache are distinct artifacts that track application interaction via the Windows Graphical User Interface (GUI). While MUIcache merely proves the Windows Shell “observed” an executable, UserAssist provides high-fidelity evidence of intentional execution, complete with run counts, focus time, and highly accurate timestamps. For DFIR analysts, distinguishing between these two artifacts is crucial for proving user intent.

1. UserAssist: The GUI Execution Counter

The primary purpose of the UserAssist registry key is to populate the “Most Frequently Used” programs list in the Windows Start Menu. To achieve this, the explorer.exe process tracks every executable or LNK File launched directly via the GUI (e.g., double-clicking an icon).

Danger

Forensic Limitation: UserAssist only tracks GUI executions. If an attacker executes a malware binary via the command line (cmd.exe or powershell.exe), it will not generate a UserAssist entry. Analysts must correlate this withPrefetch (.pf) or Event ID 4688 logs to gain a complete execution picture.

Location and ROT13 Obfuscation

• Hive: NTUSER.DAT (User Profile)
• Key Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

Interestingly, Microsoft obfuscates the executable paths within this key using ROT13, a simple letter substitution cipher. While not a security boundary, it prevents simple string searches from immediately revealing the contents, requiring dedicated parsing tools.

Extracted Telemetry

Parsing the UserAssist key yields critical forensic metadata:

1. Executable / LNK Path: The exact name and location of the launched program.
2. Run Count: The total number of times the user executed this specific program.
3. Last Execution Time: A highly accurate timestamp of the most recent launch.
4. Focus Time / Focus Count: Metrics indicating how long the application window remained active in the foreground, proving active human interaction.

2. MUIcache (Multilingual User Interface Cache)

The MUIcache serves a completely different operational purpose. Windows uses this cache to store the “Friendly Names” of applications (extracted from the PE header metadata) to display them quickly in interface elements, such as the “Open With…” dialog box.

• Hive: NTUSER.DAT
• Key Path: Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Forensic Value of MUIcache

MUIcache is populated when the Windows Shell inspects an executable. This can happen upon execution, but it can also be triggered simply by a user right-clicking the file or viewing its properties. Therefore, MUIcache proves existence and shell awareness, but it does not definitively prove execution.

3. Artifact Comparison: The DFIR Verdict

Feature	UserAssist	MUIcache
Proof of Execution	High (Proves GUI launch)	Low (Proves shell awareness)
Timestamp Available	Yes (Last execution time)	No
Run Count	Yes	No
Obfuscation	ROT13	Cleartext

4. DFIR Strategy and Correlation

In incident response, UserAssist is the ultimate tool for attributing an action to human intent and dismantling “I didn’t run that” defenses.

1. Confirming Threat Actor Interaction: If a suspicious binary (e.g., mimikatz.exe) or a portable hacking tool is found within a specific user’s UserAssist key, it confirms the tool was launched interactively within that user’s graphical session.
2. Analyzing the Run Count: The run count metric is invaluable. A run count of “1” for a malicious dropper might indicate patient zero’s initial misstep. A high run count for a generic administrative tool might indicate routine lateral movement preparation.
3. Tracking Portable Executables: Both UserAssist and MUIcache excel at retaining evidence of portable applications run from USB drives or temporary folders long after the media has been disconnected or the files deleted.
4. Cross-Artifact Correlation: Pair UserAssist with Jumplists to determine not only which program was executed, but what files were opened by that program during the session.

5. Recommended Tooling

Due to the ROT13 encoding of UserAssist and the binary structure of registry hives, manual analysis via regedit is inefficient and prone to error.

UserAssistParser / MUIcacheParser

Developed by Eric Zimmerman, these targeted command-line utilities parse offline NTUSER.DAT hives, automatically decode ROT13 strings, and output chronologically sorted CSV files.

RegRipper

Utilize the userassist_tln and muicache plugins within RegRipper to extract and format these specific keys during comprehensive registry triage.

---

References & Further Reading

• SANS Institute: Windows Forensic Analysis
• Eric Zimmerman’s Tools: GitHub Repository
• Related Artifact: Prefetch (.pf) Execution Analysis
• Related Artifact: Jumplists and User Activity