Run MRU

What Is?

RunMRU key contains multiple values that are named for lowercase letters. These values store the commands that a user run using the Run utility. The first value added is named “a”, the second value is named “b”, then, “c” and so on. However, the names of the values do not always reflect the order in which the commands were typed into the Run box. This information is maintained in the “MRUList” value which is a string that lists the order in which each value beneath the RunMRU key was last accessed. For instance, in the figure below, the first letter listed in the MRUList is “c”. The value named “c” stores the command “chrome” which means that the most recent command typed into the Run box is “chrome”.

File Location:

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Parse Data

RegExplorer

Considerations

Does NOT track non existing executable entries. Typos will not be tracked.

Anti-Forensics

PreviousTrusted Documents NextRecentDocs

Last updated 1 month ago