CIDSizeMRU

Overview

Evidence: CIDSizeMRU Description: Enumerate CIDSizeMRU Category: System Platform: windows Short Name: cidsizemru Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The CIDSizeMRU registry key tracks file names associated with window size and position preferences in common file dialogs. When users open or save files through applications, Windows remembers the dialog window size and position for each file.

This artifact can provide evidence of file names users have interacted with through file dialogs.

Data Collected

This collector gathers structured data about cidsizemru.

CIDSizeMRU Data

Field

Description

Example

KeyPath

Registry key path

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU

LastWriteTime

Registry key last write time

2023-10-15T14:30:00

Value

MRU value name

Username

User account name

user

FileName

File name

confidential-report.docx

MRUPosition

Position in MRU list

RegPath

Path to registry hive

Registry/ntuser.dat

Collection Method

This collector:

Collects user registry hives (ntuser.dat)
Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Parses MRUListEx binary data
Extracts file name strings
Orders by MRU position

Forensic Value

CIDSizeMRU provides additional evidence of file interaction through dialogs. Investigators use this data to identify files accessed through dialogs, corroborate other file access evidence, detect access to sensitive file names, and supplement OpenSavePidlMRU analysis.

PreviousChrome Web Storage NextCisco AMP Logs

Last updated 3 days ago

Was this helpful?