# CIDSizeMRU ## Overview **Evidence:** CIDSizeMRU\ **Description:** Enumerate CIDSizeMRU\ **Category:** System\ **Platform:** windows\ **Short Name:** cidsizemru\ **Is Parsed:** Yes\ **Sent to Investigation Hub:** Yes\ **Collect File(s):** No ## Background The CIDSizeMRU registry key tracks file names associated with window size and position preferences in common file dialogs. When users open or save files through applications, Windows remembers the dialog window size and position for each file. This artifact can provide evidence of file names users have interacted with through file dialogs. ## Data Collected This collector gathers structured data about cidsizemru. ### CIDSizeMRU Data | Field | Description | Example | | --------------- | ---------------------------- | ---------------------------------------------------------------------- | | `KeyPath` | Registry key path | Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU | | `LastWriteTime` | Registry key last write time | 2023-10-15T14:30:00 | | `Value` | MRU value name | 0 | | `Username` | User account name | user | | `FileName` | File name | confidential-report.docx | | `MRUPosition` | Position in MRU list | 0 | | `RegPath` | Path to registry hive | Registry/ntuser.dat | ## Collection Method This collector: * Collects user registry hives (ntuser.dat) * Searches for: `Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU` * Parses MRUListEx binary data * Extracts file name strings * Orders by MRU position ## Forensic Value CIDSizeMRU provides additional evidence of file interaction through dialogs. Investigators use this data to identify files accessed through dialogs, corroborate other file access evidence, detect access to sensitive file names, and supplement OpenSavePidlMRU analysis.