MRU Lists — Most Recently Used | Forensic Artifacts

Windows maintains multiple “Most Recently Used” lists across the registry, each recording a different dimension of user activity — files opened, documents saved, commands typed into the Run dialog, and applications used in Open/Save dialogs. Because these keys live in NTUSER.DAT (the per-user registry hive), they survive application uninstalls, browser history cleanup, and most standard anti-forensics tools. For investigators, MRU keys answer the critical question: what did this user actually touch?

What Are MRU Lists?

MRU (Most Recently Used) lists are registry-based data structures that Windows uses to populate “recent” menus, autocomplete suggestions, and jump lists throughout the shell. Each MRU key stores an ordered list of items — files, commands, paths, or applications — sorted by the time they were last accessed. The ordering is maintained by a special binary value called MRUListEx (or MRUList in older formats), which contains an array of entry indices sorted from most recent to least recent.

MRU keys exist across multiple locations in the registry, each tracking a distinct category of user activity. The four primary forensic MRU sources are RecentDocs (files opened by the user), OpenSavePidlMRU (files opened or saved via the standard Windows Open/Save dialog), RunMRU (commands typed into the Win+R Run dialog), and LastVisitedPidlMRU (applications and their last-used directories in Open/Save dialogs). Together, these keys create a comprehensive record of deliberate user interaction with the file system.

All four MRU key families reside in NTUSER.DAT, the per-user registry hive loaded when a user logs on. This means MRU data is user-attributed by definition — there is no ambiguity about which account generated the entries. The hive is stored at C:\Users\[username]\NTUSER.DAT and is locked by the operating system while the user is logged in.

Key Insight

MRU keys record deliberate user actions — opening a file, saving a document, typing a command. Unlike Prefetch or SRUM, which record system-level activity, MRU data directly reflects what the user chose to do. This makes MRU evidence particularly compelling in insider threat and intellectual property theft cases.

Location & Format

Registry Paths

MRU Key	Registry Path (under NTUSER.DAT)	Data Type	Tracks
RecentDocs	`Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`	Binary (Shell Item)	Files opened by the user, globally and per extension
OpenSavePidlMRU	`Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU`	Binary (PIDL)	Files opened/saved via standard Windows dialogs
RunMRU	`Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU`	String (REG_SZ)	Commands typed into Win+R Run dialog
LastVisitedPidlMRU	`Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU`	Binary (PIDL)	Applications + last folder used in Open/Save dialogs

MRUListEx Ordering Mechanism

Each MRU key contains a special value called MRUListEx (binary) that controls the display order. MRUListEx is an array of 4-byte (DWORD) integers, each representing the index of an entry value (e.g., 0, 1, 2, ...). The first DWORD in the array is the most recently accessed item; the last valid DWORD is the oldest. The array is terminated by 0xFFFFFFFF. When a user opens a file, Windows moves that entry’s index to the front of MRUListEx, pushing all others back by one position.

RecentDocs Subkey Structure

The RecentDocs key contains a top-level folder with entries for all recently accessed files regardless of type. Below the top-level key, Windows creates extension-specific subkeys — .docx, .pdf, .xlsx, .zip, etc. — each containing its own MRUListEx and numbered binary values. This means an investigator can query “show me all recently opened PDFs for this user” by examining only the RecentDocs\.pdf subkey.

Registry Structure

NTUSER.DAT
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    MRUListEx    = 03 00 00 00 01 00 00 00 02 00 00 00 FF FF FF FF
    0            = [binary shell item data - filename embedded]
    1            = [binary shell item data - filename embedded]
    2            = [binary shell item data - filename embedded]
    3            = [binary shell item data - filename embedded]
    \.docx
        MRUListEx = 01 00 00 00 00 00 00 00 FF FF FF FF
        0         = [binary - Q4_Financials.docx]
        1         = [binary - Resignation_Letter.docx]
    \.pdf
        MRUListEx = 00 00 00 00 FF FF FF FF
        0         = [binary - Employee_Handbook.pdf]
    \.zip
        MRUListEx = 00 00 00 00 FF FF FF FF
        0         = [binary - source_code_backup.zip]

Shell Item Binary Format

RecentDocs and OpenSavePidlMRU store entries as binary Shell Item structures (also called PIDLs — Pointer to Item Identifier Lists). These are not plain-text strings; they are variable-length binary blobs that encode the target filename, parent folder, short (8.3) name, and timestamps. Extracting the filename from a Shell Item requires parsing the binary structure or using a tool that understands the format. The filename is stored as a Unicode string at a specific offset within the structure, but that offset varies depending on the Shell Item type (file, folder, network path, etc.).

Format Note

RunMRU is the exception: its values are plain REG_SZ strings, directly human-readable. Each value (named a, b, c, etc.) contains the exact command the user typed, followed by \1 as a terminator. For example: cmd\1, notepad C:\Users\jdoe\secrets.txt\1, \\fileserver\hr$\1.

What It Reveals

MRU lists answer investigative questions that no other single artifact family addresses. Each MRU key provides a different lens on user behavior:

What files did the user open? — RecentDocs records every file opened through Windows Shell interactions (double-clicking, right-click “Open”, etc.), organized both globally and by file extension.
What was the order of access? — The MRUListEx binary value provides a recency-ordered list, allowing reconstruction of the sequence in which files were accessed.
What files were opened or saved via application dialogs? — OpenSavePidlMRU captures files accessed through the standard Windows Open/Save dialog boxes (File > Open, File > Save As). This records interactions that RecentDocs may miss if the application uses a custom dialog.
What commands did the user deliberately type? — RunMRU records every command entered into the Win+R Run dialog. These are explicitly typed, not auto-generated — evidence of deliberate intent. Commands like cmd, powershell, \\server\share, or regedit reveal intentional actions.
Which applications were used to open files, and from which directories? — LastVisitedPidlMRU pairs an application executable with the last directory that application browsed to in an Open/Save dialog. This shows not just what was accessed but which tool was used and where the user was navigating.
Were specific file types targeted? — The extension-specific subkeys under RecentDocs allow an investigator to determine whether a user systematically opened .xlsx, .pst, or .kdbx files — patterns consistent with data harvesting.
Did the user access network shares? — Both RunMRU (via UNC paths like \\fileserver\hr$) and OpenSavePidlMRU (via network Shell Items) record access to remote file systems.
Were encryption or exfiltration tools used? — RunMRU may contain commands like 7z a -p archive.7z C:\Sensitive\* or references to cloud sync utilities. LastVisitedPidlMRU may show WinSCP.exe or rclone.exe paired with sensitive directories.

Investigative Benchmark

When RecentDocs shows 400+ files accessed across .docx, .xlsx, .pdf, and .pptx subkeys in a 48-hour window, and RunMRU contains \\nas01\executive$ and 7z a -pPassword123 C:\staging\dump.7z C:\collected\*, the combination establishes both access and intent. No single artifact tells the complete story — the MRU family together reconstructs the full workflow.

Forensic Use Cases

1. Insider Threat — Systematic Data Harvesting

A departing employee is suspected of collecting proprietary documents before resignation. RecentDocs subkeys show 87 .docx files, 42 .xlsx files, and 15 .pdf files accessed over three days — all from network shares the employee would not normally access for their role. The MRUListEx ordering shows the access pattern: the employee started with the engineering share, moved to the finance share, then the executive share. OpenSavePidlMRU confirms the same files were subsequently “Saved As” to a USB-connected path (E:\backup). RunMRU contains \\eng-share\designs$, confirming deliberate navigation to hidden administrative shares.

2. Malware Staging — Confirming File Interaction

An endpoint detection tool flags a suspicious executable in %TEMP%. RecentDocs shows the user opened a file named Invoice_March_2026.pdf.exe — a double-extension social engineering technique. The entry appears in the .exe subkey (not .pdf), confirming Windows treated it as an executable. OpenSavePidlMRU shows the file was opened from C:\Users\[user]\Downloads, and LastVisitedPidlMRU shows chrome.exe last browsed to the Downloads folder, linking the browser download to the file execution.

3. Unauthorized Network Access

RunMRU contains entries for \\dc01\c$, \\sql-prod\backups, and \\hr-server\personnel. These UNC paths indicate the user deliberately typed administrative share paths into the Run dialog — not click-through navigation from a mapped drive. The presence of administrative shares (c$, admin$) suggests the user was probing for accessible resources. Cross-referencing with Security.evtx logon events (4624 Type 3) confirms successful network authentication to these hosts.

4. Evidence Destruction Assessment

A subject runs CCleaner before forensic acquisition. CCleaner’s “Windows Explorer — Recent Documents” cleaner deletes the contents of RecentDocs and the %APPDATA%\Microsoft\Windows\Recent folder containing LNK files. However, OpenSavePidlMRU and LastVisitedPidlMRU under the ComDlg32 key are not targeted by CCleaner’s default configuration. The investigator recovers the Open/Save dialog history even though RecentDocs was wiped, proving the user saved 23 files to an external path.

5. Timeline Reconstruction from MRU Ordering

While MRU keys do not store explicit timestamps in their entry values, the ordering provided by MRUListEx establishes relative chronology. The first entry in the array is the most recently accessed item. Combined with the last-write timestamp of the MRU key itself (which Windows updates each time a new entry is added), the investigator can determine both the sequence of access and the time of the most recent entry. Registry Explorer displays key last-write timestamps alongside value data, enabling this correlation.

Acquisition Methods

Collection Warning

NTUSER.DAT is locked by the operating system while the user is logged in. Direct copy from C:\Users\[username]\NTUSER.DAT will fail with an access-denied error. Use Volume Shadow Copy, a forensic imaging tool, or a raw-disk copy utility. If the user has logged off, the hive is released and can be copied directly.

Live System — Volume Shadow Copy

CMD / ADMIN

:: Create a Volume Shadow Copy to bypass the file lock
vssadmin create shadow /for=C:

:: Copy NTUSER.DAT from the shadow copy (replace username)
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Users\jdoe\NTUSER.DAT C:\Evidence\NTUSER.DAT

:: Also collect UsrClass.dat (contains additional Shell Bag data)
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Users\jdoe\AppData\Local\Microsoft\Windows\UsrClass.dat C:\Evidence\UsrClass.dat

:: Delete the shadow copy when done
vssadmin delete shadows /shadow={shadow-id} /quiet

Live System — KAPE and Raw Copy

CMD / ADMIN

:: Using KAPE (Kroll Artifact Parser and Extractor)
kape.exe --tsource C: --tdest C:\Evidence\KAPE_Output --target RegistryHives

:: Using RawCopy (bypasses NTFS locks)
RawCopy.exe /FileNamePath:C:\Users\jdoe\NTUSER.DAT /OutputPath:C:\Evidence\

:: Using Velociraptor (remote collection)
:: Artifact: Windows.KapeFiles.Targets with target "RegistryHives"
:: Or: SELECT * FROM glob(globs="C:/Users/*/NTUSER.DAT")

Forensic Image — Direct Extraction

BASH / FORENSICS

# Mount the forensic image (read-only)
mount -o ro,noexec,nodev /dev/sdb1 /mnt/evidence

# Copy NTUSER.DAT for each user
for user in /mnt/evidence/Users/*/; do
    username=$(basename "$user")
    cp "$user/NTUSER.DAT" "/analysis/registry/${username}_NTUSER.DAT" 2>/dev/null
done

Parsing Tools & Analysis

Tool	Author	License	Output	Notes
Registry Explorer	Eric Zimmerman	Free	GUI + export	Best for interactive analysis; displays Shell Item parsed data, key last-write timestamps
RECmd	Eric Zimmerman	Free	CSV	Batch processing; use with `--bn BatchExamples\RECmd_Batch_MC.reb` for MRU parsing
RegRipper	Harlan Carvey	Open source	Text	Plugins: `recentdocs`, `comdlg32`, `runmru`; fast CLI processing
ShellBags Explorer	Eric Zimmerman	Free	GUI + export	Specialized Shell Item parsing; useful for PIDL-based MRU entries
Autopsy	Basis Technology	Open source	GUI	Recent Activity module extracts MRU data; integrated case management
python-registry	Willi Ballenthin	Open source	Python API	Programmatic access to registry hives; requires manual Shell Item parsing

Parsing with RECmd

CMD / FORENSICS

:: Parse all MRU keys from NTUSER.DAT using the standard batch file
RECmd.exe -f C:\Evidence\NTUSER.DAT --bn BatchExamples\RECmd_Batch_MC.reb --csv C:\Analysis\MRU_Output

:: Output includes parsed RecentDocs, OpenSavePidlMRU, RunMRU, LastVisitedPidlMRU
:: CSV columns: HivePath, KeyPath, ValueName, ValueData, LastWriteTimestamp

Parsing with RegRipper

CMD / FORENSICS

:: Parse RecentDocs
rip.exe -r C:\Evidence\NTUSER.DAT -p recentdocs

:: Parse OpenSavePidlMRU and LastVisitedPidlMRU
rip.exe -r C:\Evidence\NTUSER.DAT -p comdlg32

:: Parse RunMRU
rip.exe -r C:\Evidence\NTUSER.DAT -p runmru

:: Run all NTUSER.DAT plugins at once
rip.exe -r C:\Evidence\NTUSER.DAT -a > C:\Analysis\ntuser_all_plugins.txt

Sample RunMRU Output

OUTPUT

RunMRU
Key Last Write: 2026-03-15 22:47:31 UTC
MRUList order: fedcba

f -> \\nas01\executive$\1
e -> 7z a -pS3cure! C:\staging\archive.7z C:\collected\*\1
d -> powershell\1
c -> cmd\1
b -> \\eng-share\designs$\1
a -> regedit\1

Reading the Output

The MRUList order fedcba means entry f was most recently typed. The user’s last Run dialog command was \\nas01\executive$ — a hidden administrative share on a NAS device named “executive.” The second-most-recent command is a 7z compression command with a password flag (-p), creating an encrypted archive from a staging directory. This sequence — network share access followed by encrypted archival — is a textbook data exfiltration workflow.

Retention & Persistence

MRU Key	Max Entries	Retention Behavior	Survives Reboot
RecentDocs	~150 per subkey	Oldest entries overwritten when limit reached; no time-based expiration	Yes
OpenSavePidlMRU	~20 per extension subkey	Rolling buffer; oldest entry pushed out when a new entry is added	Yes
RunMRU	~26 entries (a-z)	Entries persist indefinitely until overwritten or manually cleared	Yes
LastVisitedPidlMRU	~20 entries	Rolling buffer; tracks application + last directory combination	Yes

Retention Note

MRU keys do not have a time-based expiration. Unlike Prefetch (which has a ~1,024 file limit) or SRUM (which has a ~60-day rolling window), MRU entries persist indefinitely until the entry count limit is reached and the oldest entry is overwritten. On a system where a user accesses a small set of files repeatedly, MRU entries from months or years ago may still be present.

The last-write timestamp of each MRU key is updated whenever a new entry is added or the ordering changes. This timestamp reflects the time of the most recent MRU update, not the time each individual entry was created. However, some parsing tools (including Registry Explorer) can extract embedded timestamps from Shell Item binary data, providing per-entry temporal resolution for RecentDocs and OpenSavePidlMRU entries.

Anti-Forensics Resilience

MRU key resilience varies by key family. RecentDocs is well-known and frequently targeted by cleanup tools. The ComDlg32 keys (OpenSavePidlMRU, LastVisitedPidlMRU) are far less commonly cleared, making them higher-value artifacts in post-cleanup investigations.

Tool	Clears RecentDocs?	Clears ComDlg32 MRUs?	Clears RunMRU?
CCleaner	Yes — “Windows Explorer: Recent Documents”	No — not targeted by default	Yes — if “Run (in Start menu)” option enabled
BleachBit	Yes — “Explorer: Recent Documents”	No — no ComDlg32 cleaner exists	Partial — depends on version and configuration
Windows Disk Cleanup	No	No	No
Privacy Eraser	Yes	Some versions target ComDlg32	Yes
*Manual: Del Recent\.lnk**	Deletes LNK shortcuts only; RecentDocs registry key is unaffected	No	No
Manual: reg delete	Yes — if user knows the exact path	Yes — if user knows the exact path	Yes — if user knows the exact path

Why ComDlg32 Survives

The ComDlg32\OpenSavePidlMRU and ComDlg32\LastVisitedPidlMRU keys are not included in the cleanup routines of CCleaner, BleachBit, or Windows Disk Cleanup. They are not visible in any consumer privacy tool’s interface. Even technically sophisticated users who manually clear RecentDocs and delete LNK files from the Recent folder almost never think to clear the ComDlg32 subkeys. In cases where RecentDocs has been wiped, OpenSavePidlMRU frequently contains surviving evidence.

MITRE ATT&CK Detection Mapping

MRU list data provides evidentiary support for detecting the following MITRE ATT&CK techniques:

Technique	Name	MRU Evidence
`T1005` T1005	Data from Local System	RecentDocs entries showing bulk access to sensitive file types (`.docx`, `.xlsx`, `.pst`, `.kdbx`); OpenSavePidlMRU showing files saved to staging directories
`T1083` T1083	File and Directory Discovery	RunMRU showing UNC paths to network shares; LastVisitedPidlMRU showing applications browsing to unusual directories
`T1204` T1204	User Execution	RecentDocs `.exe` subkey showing user opened a malicious file; RunMRU showing user typed a command to execute a payload
`T1039` T1039	Data from Network Shared Drive	RunMRU containing UNC paths to file servers; OpenSavePidlMRU showing files opened from network locations
`T1074` T1074	Data Staged	OpenSavePidlMRU showing files saved to a staging directory (e.g., `C:\staging`, `E:\backup`); RunMRU showing compression commands targeting collected files
`T1070` T1070	Indicator Removal	RecentDocs cleared (key exists but is empty) while ComDlg32 keys still populated — evidence of selective cleanup

Related Artifacts & Cross-References

Corroborating Artifacts

Artifact	Relationship to MRU Lists	Cross-Correlation Value
LNK Files	Windows creates LNK shortcuts in `%APPDATA%\Microsoft\Windows\Recent` when files are opened; mirrors RecentDocs	LNK files contain embedded timestamps, target path, volume serial, and MAC addresses — richer metadata than RecentDocs alone
Jump Lists	Per-application recent file lists stored in `%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations`	Jump Lists show which application opened which file; survives RecentDocs cleanup
ShellBags	Record folder browsing history in `UsrClass.dat`	ShellBags show which folders were visited via Explorer; correlates with directories referenced in MRU entries
Prefetch	Confirms execution of applications referenced in RunMRU and LastVisitedPidlMRU	Prefetch provides first/last run time and run count for executables the user invoked via Run dialog
$UsnJrnl	File system change journal; records file creation, modification, and deletion events	$UsnJrnl can confirm file copy/move operations that align with OpenSavePidlMRU “Save As” entries
SRUM.db	Network transfer volumes per application	If RunMRU shows cloud sync tool commands, SRUM can confirm the volume of data transferred

References

Eric Zimmerman, “Registry Explorer & RECmd” — https://ericzimmerman.github.io/
Harlan Carvey, “RegRipper — Registry Analysis Tool” — https://github.com/keydet89/RegRipper3.0
SANS Institute, “Windows Forensic Analysis Poster” — https://www.sans.org/posters/
13Cubed, “MRU Lists and RecentDocs Analysis” — https://www.13cubed.com/
Microsoft, “Shell Item Documentation” — https://learn.microsoft.com
Joachim Metz, “Shell Item Format Specification” — https://github.com/libyal/libfwsi
ForensicArtifacts.com, “Windows Registry Artifact Definitions” — https://github.com/ForensicArtifacts/artifacts
DFIR Training, “OpenSavePidlMRU Analysis” — https://www.dfir.training

Mjolnir Security — Digital Forensics & Incident Response

Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in registry artifact analysis, insider threat investigations, and evidence recovery from systems where standard artifacts have been destroyed.

Digital ForensicsIncident ResponseExpert WitnessArtifact AnalysisInsider ThreatRegistry Forensics

mjolnirsecurity.com — 24/7: +1 833 403 5875