File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat
Registry subkeys under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
OpenSaveMRU / OpenSavePidlMRU
LastVisitedMRU / LastVisitedPidlMRU / LastVisitedPidlMRULegacy
CIDSizeMRU
Registry subkeys under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
OpenSaveMRU / OpenSavePidlMRU
LastVisitedMRU / LastVisitedPidlMRU / LastVisitedPidlMRULegacy
CIDSizeMRU
The registry keys under ComDlg32 are linked to the Common Dialogs boxes,
such as the “Open” and “Save as” dialog boxes.
Files or folders accessed, and the executing programs, are stored to maintain a dialog box state across operations. For instance, the last path a file was saved into will be directly opened when opening the “Save as” dialog box using Microsoft Word.
OpenSaveMRU / OpenSavePidlMRU
| Hive | Description | Location |
HKCU\SOFTWARE |
Renamed from OpenSaveMRU to OpenSavePidlMRU in Windows Vista and later. Records information on files opened or saved through the “Open File” or “Save File” Common Dialogs box. The OpenSaveMRU/ OpenSavePidlMRU keys has multiple subkeys, one for each different file extension (for the files opened / saved on the given system). Each subkey contains an ordered Most recently used (MRU) list of opened / saved files (full path of the file). The list can go up to 20 entries, with entries over 20 being overwritten. The last write timestamp of each subkey thus corresponds to the timestamp of opening / saving of the file in MRU position 0 (for a given file extension). |
File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU |
LastVisitedMRU / LastVisitedPidlMRU / LastVisitedPidlMRULegacy
| Hive | Description | Location |
HKCU\SOFTWARE |
Renamed from LastVisitedMRU to LastVisitedPidlMRU in Windows Vista and later. Records the programs used to open / save (some of) the file tracked in the OpenSaveMRU / OpenSavePidlMRU registry key. Notably used to track the last folder used by a given program in an “Open File” / “Save File” Common Dialogs box. Applications tracked by their file name and are stored in an ordered Most Recently Used (MRU) list. The last write timestamp of the key thus corresponds to the timestamp of execution of the most recently executed program (first in the MRU list). For each application, the full path of the folder can be constructed from information blocks on each subfolder in the location. For example, for the “%SystemRoot%\Users\Public\Documents” location, three blocks will be present: “Users”, “Public”, and “Documents”. For each block, the created and last accessed timestamps and the MFT entry / sequence associated with the folder are referenced. |
File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy |
CIDSizeMRU
| Hive | Description | Location |
HKCU\SOFTWARE |
Recently executed programs, linked to Common Dialogs activity (pop boxes to open / save file, print, find / replace, …). The key contains an ordered Most Recently Used (MRU) list of executed programs, identified through their filename. The last write timestamp of the key thus corresponds to the timestamp of execution of the most recently executed program (first in the MRU list). |
File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU |
References
View on GitHub