CIDSizeMRU

Overview

Evidence: CIDSizeMRU Description: Enumerate CIDSizeMRU Category: Registry Platform: Windows Short Name: cidsizemru Is Parsed: Yes - MRU data parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

The CIDSizeMRU registry key tracks file names associated with window size and position preferences in common file dialogs. When users open or save files through applications, Windows remembers the dialog window size and position for each file.

This artifact can provide evidence of file names users have interacted with through file dialogs.

Data Collected

Field

Description

Example

KeyPath

Registry key path

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU

LastWriteTime

Registry key last write time

2023-10-15T14:30:00

Value

MRU value name

Username

User account name

user

FileName

File name

confidential-report.docx

MRUPosition

Position in MRU list

RegPath

Path to registry hive

Registry/ntuser.dat

Collection Method

This collector:

Collects user registry hives (ntuser.dat)
Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Parses MRUListEx binary data
Extracts file name strings
Orders by MRU position

Usage

CIDSizeMRU provides additional evidence of file interaction through dialogs. Investigators use this data to identify files accessed through dialogs, corroborate other file access evidence, detect access to sensitive file names, and supplement OpenSavePidlMRU analysis.

Known Limitations

Only file names, not full paths
Limited number of entries
Only tracks file dialog operations
Can be cleared by privacy tools
Not all file dialogs update this key

Notes

This artifact is less commonly used than other MRU lists but can provide corroborating evidence of file access. Combine with OpenSavePidlMRU and RecentDocs for complete file dialog history.

PreviousBrowser Extensions NextCLR Logs

Last updated 48 minutes ago

Was this helpful?