Open/Save MRU

Description: In the simplest terms, this key tracks files that have been opened or saved within a Windows shell dialog box.

Location:

• C:\Users\<username>\NTUSER.DAT
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU

Notes:

• The * subkey tracks the most recent files of any extension input in an OpenSave dialog box.
• The other subkeys will be labeled with the specific file extension of the file type they're tracking.
• In Windows 10, each subkey will track the last 20 files saved within an OpenSave dialog box.

Analysis: Using Registry Explorer by Eric Zimmerman, we can load the NTUSER.DAT registry hive from the user account that we're analyzing and select the NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU registry key.



When viewing this key from a live system with regedit.exe, you will notice that data is only stored within the subkeys of OpenSavePIDlMRU. Fortunately for us, a Registry Explorer plug-in combines all of this data directly into the OpenSavePIDlMRU key to simplify our analysis.

The default view shows the most recent file saved within an OpenSave dialog box by file type. We can identify it's the most recent file by notating the MRU position of 0. We can by sort by Extension to arrange our view by file type. The * subkey keeps track of the last 20 files saved within an OpenSave dialog box, regardless of the corresponding file extension.