Recently I was seeing entries being created under
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
when running programs, and got to wondering what they were. Is it a way for malware to ensure it can persist and get started on reboot? Apparently not. The
windows IR blog has a good discussion on the topic, but I found the best answer on
Scot's Newsletter. I have copied the content below in case the website disappears:
I'm not sure what
MUICache stands for but I know for sure that Windows uses HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache to cache location of icons and their string descriptions for various internal windows uses.
For example, if you change the value of
@C:\WINDOWS\system32\SHELL32.dll,-8964 from
Recycle Bin to
Trash and Hit F5 on the destkop, the description of your Recycle Bin will be Trash.
Basiclly, the string
Trash is now associated with
Recycle Bin icon stored in
SHELL32.dll. If you right click on any shortcut and select properties and then select Change Icon on Shortcut tab, you will see all the icons stored in
SHELL32.dll.
Another example is, when you try to run a file with an unregistered/ unregconized extension in windows, you will get a dialog box asking you to select the program from the list.
In Programs listbox displays icons and their string names which represents programs that have "open" command in the registry.
Adobe Acrobat 7.0 corresponds to the key-value pair of
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe -
Adobe Acrobat 7.0 in
MUICache.
The key represents the location of the exe where icon is stored and value represent the description string of exe. You can get the description string by right click on the exe and select properties. In the version tab, you will see the description string that is used.
A C++ developer will put this information in the resource (.rc file) under
VS_VERSION_INFO entry.
A developer may choose to create the key in
MUICache during the installation or programatically when a program starts.
This entry is usually automatically generated by windows when a user double clicks on a registered/regconized extension.
For example, there is a key called
.doc in
HKEY_CLASSES_ROOT. The default value of this key is
Word.Document.8. When a word document file is double clicked, Windows looks for
.doc key in
HKEY_CLASSES_ROOT and knows what type of document
.doc is and in this case
Word.Document.8. Then Windows searches for
Word.Document.8 in
HKEY_CLASSES_ROOT. Under Word.Document.8, there is a key that tells windows what program and what arguments to pass to open such document. In my computer the key is
HKEY_CLASSES_ROOT\Word.Document.8\shell\Open\Command and its value is
"C:\Program Files\Microsoft Office\OFFICE11\WINWORD" /n /ddeThis entry also gets called when you select
Tools > folder options from the folder menu and select
File Types tab. You will see
doc entry in there. Highlight it and select
Advance and double click on
open entry. You will see the exact same string in
HKEY_CLASSES\Word.Document.8\shell\Open\Command.
After a known extension is double clicked and the program opens the document, Windows Automatically generates 2 entrys: one is
HKEY_CLASSES_ROOT\Applications\Winword.exe\shell to indicate what to show up in the application list and how to open a document (picture below) and the other is in
MUICache for corresponding icon and description string.
A developer can programtically create key in
MUICache and
HKEY_CLASSES_ROOT\Applications\filename.exe or use scripting during installation process. If not, when the registered/recognized extension is activated, these two entries are automatically generated.
When you deleted these two entries (but please don't), it'll pop up again the next time you double click on a known extension file (as long as, exenstion registry is still in tact).
That's why sometines we see these two keys related to viruses because as long as the virus exe is still on the machine, you can't seem to get rid of these keys. If you look on a symantic website, they documented a virus called dialer.exe (which dials high-cost telephone calls from your computer) associated with
MUICache.
