Thursday, May 1, 2008

The MUICache registry key mystery de-mystified

Recently I was seeing entries being created under


when running programs, and got to wondering what they were. Is it a way for malware to ensure it can persist and get started on reboot? Apparently not. The windows IR blog has a good discussion on the topic, but I found the best answer on Scot's Newsletter. I have copied the content below in case the website disappears:

I'm not sure what MUICache stands for but I know for sure that Windows uses HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache to cache location of icons and their string descriptions for various internal windows uses.

For example, if you change the value of @C:\WINDOWS\system32\SHELL32.dll,-8964 from Recycle Bin to Trash and Hit F5 on the destkop, the description of your Recycle Bin will be Trash.

Basiclly, the string Trash is now associated with Recycle Bin icon stored in SHELL32.dll. If you right click on any shortcut and select properties and then select Change Icon on Shortcut tab, you will see all the icons stored in SHELL32.dll.

Another example is, when you try to run a file with an unregistered/ unregconized extension in windows, you will get a dialog box asking you to select the program from the list.

In Programs listbox displays icons and their string names which represents programs that have "open" command in the registry.

Adobe Acrobat 7.0 corresponds to the key-value pair of
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe - Adobe Acrobat 7.0 in MUICache.

The key represents the location of the exe where icon is stored and value represent the description string of exe. You can get the description string by right click on the exe and select properties. In the version tab, you will see the description string that is used.

A C++ developer will put this information in the resource (.rc file) under VS_VERSION_INFO entry.

A developer may choose to create the key in MUICache during the installation or programatically when a program starts.

This entry is usually automatically generated by windows when a user double clicks on a registered/regconized extension.

For example, there is a key called .doc in HKEY_CLASSES_ROOT. The default value of this key is Word.Document.8. When a word document file is double clicked, Windows looks for .doc key in HKEY_CLASSES_ROOT and knows what type of document .doc is and in this case Word.Document.8. Then Windows searches for Word.Document.8 in HKEY_CLASSES_ROOT. Under Word.Document.8, there is a key that tells windows what program and what arguments to pass to open such document. In my computer the key is HKEY_CLASSES_ROOT\Word.Document.8\shell\Open\Command and its value is "C:\Program Files\Microsoft Office\OFFICE11\WINWORD" /n /dde

This entry also gets called when you select Tools > folder options from the folder menu and select File Types tab. You will see doc entry in there. Highlight it and select Advance and double click on open entry. You will see the exact same string in HKEY_CLASSES\Word.Document.8\shell\Open\Command.

After a known extension is double clicked and the program opens the document, Windows Automatically generates 2 entrys: one is HKEY_CLASSES_ROOT\Applications\Winword.exe\shell to indicate what to show up in the application list and how to open a document (picture below) and the other is in MUICache for corresponding icon and description string.

A developer can programtically create key in MUICache and HKEY_CLASSES_ROOT\Applications\filename.exe or use scripting during installation process. If not, when the registered/recognized extension is activated, these two entries are automatically generated.

When you deleted these two entries (but please don't), it'll pop up again the next time you double click on a known extension file (as long as, exenstion registry is still in tact).

That's why sometines we see these two keys related to viruses because as long as the virus exe is still on the machine, you can't seem to get rid of these keys. If you look on a symantic website, they documented a virus called dialer.exe (which dials high-cost telephone calls from your computer) associated with MUICache.

No comments: