Recent Files

Description: Registry Key that will track the last files and folders opened and is used to populate data in “Recent” menus of the Start menu.

Location:

  • C:\Users\<username>\NTUSER.DAT
    • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Notes:

  • The RecentDocs key will track the overall order of the last 150 files or folders opened. MRU list will keep track of the temporal order in which each file/folder was opened. The last entry and modification time of this key will be the time and location the last file of a specific extension was opened.
  • The Folder subkey stores the last folders that were opened. MRU list will keep track of the temporal order in which each folder was opened. The last entry and modification time of this key will be the time and location of the last folder opened.
  • The other subkeys will be labeled with the specific file extension of the file type they're tracking.

Analysis:
Work in Progress!

Using Registry Explorer by Eric Zimmerman, we can load the NTUSER.DAT registry hive from the user account that we're analyzing and select the NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs registry key.

BROWSE TO THE KEY