This key contains two GUID subkeys: each subkey maintains a list of system objects such as program, shortcut, and control panel applets that a user has accessed. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU UserAssist HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU HKCU\Software\Microsoft\Internet Explorer\TypedURLs HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU In fact, executing the Clear List function will remove the following registry keys and their subkeys: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
#MICROSOFT OFFICE WORD VIEWER MRU HISTORY WINDOWS#
Content of RunMRU Keyīy using Windows “Recent Opened Documents” Clear List feature via Control Panel>T askbar and Start Menu, an attacker can remove the Run command history list.
If a file is executed via Run command, it will leaves traces in the previous two keys OpenSaveMRU and RecentDocs.ĭeleting the subkeys in RunMRU does not remove the history list in Run command box immediately. The list of entries executed using the Start>Run command in mantained in this key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
This key corresponds to %USERPROFILE%Recent ( My Recent Documents) and contains local or network files that are recently opened and only the filename in binary form is stored. The list of files recently opened directly from Windows Explorer are stored into HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs This key correlates to the previous OpenSaveMRU key to provide extra information: each binary registry value under this key contains a recently used program executable filename, and the folder path of a file to which the program has been used to open or save it. Whenever a new entry is added to OpenSaveMRU key, registry value is created or updated in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU This key maintains a list of recently opened or saved files via Windows Explorer-style dialog boxes ( Open/Save dialog box).įor instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser are maintained.ĭocuments that are opened or saved via Microsoft Office programs are not maintained. MRU is the abbreviation for most-recently-used. Recent opened Programs/Files/URLs HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU Windows registry is an excellent source for evidential data, and knowing the type of information that could possible exist in the registry and location is critical during the forensic analysis process. Windows registry contains information that are helpful during a forensic analysis
0 kommentar(er)
