LastVisitedPidlMRU

Overview

Evidence: LastVisitedPidlMRU Description: Enumerate LastVisitedPidlMRU Category: Registry Platform: Windows Short Name: lstvstpidmru Is Parsed: Yes - Binary shell items parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

LastVisitedPidlMRU tracks which folder a user last visited when using a file open/save dialog for each application. This registry artifact creates an association between executables and the folders users accessed while using those applications.

This can reveal which folders users accessed with specific programs, including applications that may have been deleted or are suspicious.

Data Collected

Collection Method

This collector:

• Collects user registry hives (ntuser.dat)

• Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

• Parses MRUListEx binary data

• Decodes shell item list data using libfwsi

• Extracts folder paths and application associations

• Orders by MRU position

Usage

LastVisitedPidlMRU reveals application-specific folder access and can connect executables to data locations. Investigators use this data to identify which folders were accessed by specific programs, detect malware accessing sensitive directories, track file dialog operations, correlate applications with data access, prove application interaction with specific folders, and identify suspicious application-folder associations.

Known Limitations

• Only tracks file dialog operations

• Limited number of entries

• Binary format requires shell item parsing

• Can be cleared by privacy tools

• Some applications use custom file dialogs that don't update this key

Notes

This artifact is particularly valuable for linking specific applications (including potentially malicious ones) to the folders they accessed. Cross-reference with process execution and file access artifacts.