Logo
RSS Feed

Recents

Created: 02.06.2023

RecentDocs

🔑 NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

This key will track the order of the last 150 files or folders opened, keeping track of the temporal order in which each file/folder was opened.

🗝️ .XXX - This subkey stores the last files with a specific extension that were opened.

🗝️ Folder This subkey stores the last folders that were opened. The MRU list will keep track of the temporal order in which each folder was opened.

⏰ Timestamps

The last entry and modification time of this key will be the time and location of the last file of a specific extension that was opened.

RecentApps

🔑: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps.

Similar to User Assist. It also shows files and applications that were used through this application. This key consists of sub-keys that are marked with the application’s GUID. Some of them will have Recent Items sub-key (10 max), each has Last Write Time (Windows 64-bit, little-endian).

⚠️ Not all Win10 machines will have this key.

RunMRU

🔑: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU.

A list of the programs that have been run from the Run command is shown. Each time you use a command that has already been stored, it moves to the top of the list.

✍️ The order in which the commands are executed is listed in the RunMRU list value. The letters represent the order in which the commands were executed.

MuiCache

🔑: Local Settings\Software\Microsoft\Windows\Shell\MuiCache.

Installed and executed applications for that particular user. But no timestamps, only last write data and time for the key in the registry.

ComDlg32/OpenSave/LastVisited

🔑: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32 🔑: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU (XP) 🔑: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePID1MRU 🔑: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU (XP) 🔑: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU (Win7+)

Tracks 🐾 application used, 🐾 path and 🐾 timestamps.

CIDSizeMRU- Tracks applications globally. MRU start at zero. Timestamp for the most recent item only. FirstFolder -tracks the install locations of applications, the full path to the app, but no exact file name. OpenSavePidMRU - tracks files that were saved with Save As dialog, or opened with Open dialog. Tracks autocomplete terms. LastVisitedPidMRU - tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key. Also tracks the directory for the last application accessed for each file in OpenSavePidMRU, and tracks the location the file existed.

Subkeys 🗝️:

  1. * - the most recent files of any extension.
  2. .XXX - info for a particular extension. For example, .exe.

These keys store information about files saved or opened via Open/Save dialog box. Hence, it’s a good artefact to track download activity (but not limited to it).

Office Recent Files

🔑 NTUSER.DAT\Software\Microsoft\Office\VERSION. Possible versions: • 14.0 = Office 2010 • 12.0 = Office 2007 • 11.0 = Office 2003 • 10.0 = Office XP

⏰ Timestamps

The last entry added, per the MRU, will be the time the last file was opened by a specific MS Office application.

References

Expand… https://www.magnetforensics.com/blog/what-is-mru-most-recently-used/ https://www.sans.org/blog/opensavemru-and-lastvisitedmru/