:py:mod:`dissect.target.plugins.os.windows.regf.muicache` ========================================================= .. py:module:: dissect.target.plugins.os.windows.regf.muicache Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.regf.muicache.MuiCachePlugin Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.regf.muicache.MuiCacheRecord .. py:data:: MuiCacheRecord .. py:class:: MuiCachePlugin(target: dissect.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Plugin that iterates various MUIcache locations. .. py:attribute:: KEYS :value: ['HKCU\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache',... .. py:attribute:: FIELD_NAMES :value: ('FriendlyAppName', 'ApplicationCompany') .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: muicache() -> MuiCacheRecord Iterate various MUIcache key locations. The MUIcache registry key stores information about executed GUI-based programs. The key is part of the Multilingual User Interface service in Windows. MUIcache references the file description contained within the executable's resource section and populates that value. .. rubric:: References - https://www.magnetforensics.com/blog/forensic-analysis-of-muicache-files-in-windows/ - https://forensafe.com/blogs/muicache.html Yields MuiCacheRecords with fields: hostname (string): The target hostname. domain (string): The target domain. index (varint): The index of the entry. name (string): The value name. value (string): The value. path (path): The executable path.