search

LastVisitedPidlMRU

hashtag
What Is?

hashtag
Forensic Value:

hashtag
File Location:

hashtag
OpenSavePidlMRU

  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

    • Previously opened and saved items of the file type. At bottom of save box

hashtag
LastVisitedPidlMRU

  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy

    • Last folder location an item was opened or saved to with an application.

hashtag
Parse Data:

hashtag
Considerations:

hashtag
LastVisitedPidlMRU

  • Track application execution by user and what full path they last interacted with.

  • Best used to identify deleted files/locations.

  • Above artifacts are stored as shell data.

    • Has MFT, ful path name, timestamps, file size

hashtag
OpenSavePidlMRU

  • Previously opened and saved items of the file type

  • The * extension tracks most recent files of any extension input in an open/save dialogue.

hashtag
Example:

hashtag
Analysis Tips:

hashtag
Anti-Forensics:

PreviousOffice Apps ForensicsNextFile MRU

Last updated