LastVisitedPidlMRU

Overview

Evidence: LastVisitedPidlMRU Description: Enumerate LastVisitedPidlMRU Category: System Platform: windows Short Name: lstvstpidmru Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

LastVisitedPidlMRU tracks which folder a user last visited when using a file open/save dialog for each application. This registry artifact creates an association between executables and the folders users accessed while using those applications.

This can reveal which folders users accessed with specific programs, including applications that may have been deleted or are suspicious.

Data Collected

This collector gathers structured data about lastvisitedpidlmru.

LastVisitedPidlMRU Data

Field

Description

Example

KeyPath

Registry key path

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

LastWriteTime

Registry key last write time

2023-10-15T14:30:00

Value

MRU value name

Username

User account name

user

Path

Folder path accessed

C:\Users\user\Documents\Confidential

MRUPosition

Position in MRU list

RegPath

Path to registry hive

Registry/ntuser.dat

Collection Method

This collector:

Collects user registry hives (ntuser.dat)
Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
Parses MRUListEx binary data
Decodes shell item list data using libfwsi
Extracts folder paths and application associations
Orders by MRU position

Forensic Value

LastVisitedPidlMRU reveals application-specific folder access and can connect executables to data locations. Investigators use this data to identify which folders were accessed by specific programs, detect malware accessing sensitive directories, track file dialog operations, correlate applications with data access, prove application interaction with specific folders, and identify suspicious application-folder associations.

PreviousKaseya Logs NextLevel Logs

Last updated 3 days ago

Was this helpful?