# LastVisitedPidlMRU

## Overview

**Evidence:** LastVisitedPidlMRU\
**Description:** Enumerate LastVisitedPidlMRU\
**Category:** System\
**Platform:** windows\
**Short Name:** lstvstpidmru\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

LastVisitedPidlMRU tracks which folder a user last visited when using a file open/save dialog for each application. This registry artifact creates an association between executables and the folders users accessed while using those applications.

This can reveal which folders users accessed with specific programs, including applications that may have been deleted or are suspicious.

## Data Collected

This collector gathers structured data about lastvisitedpidlmru.

### LastVisitedPidlMRU Data

| Field           | Description                  | Example                                                                        |
| --------------- | ---------------------------- | ------------------------------------------------------------------------------ |
| `KeyPath`       | Registry key path            | Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU |
| `LastWriteTime` | Registry key last write time | 2023-10-15T14:30:00                                                            |
| `Value`         | MRU value name               | 0                                                                              |
| `Username`      | User account name            | user                                                                           |
| `Path`          | Folder path accessed         | C:\Users\user\Documents\Confidential                                           |
| `MRUPosition`   | Position in MRU list         | 0                                                                              |
| `RegPath`       | Path to registry hive        | Registry/ntuser.dat                                                            |

## Collection Method

This collector:

* Collects user registry hives (ntuser.dat)
* Searches for: `Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU`
* Parses MRUListEx binary data
* Decodes shell item list data using libfwsi
* Extracts folder paths and application associations
* Orders by MRU position

## Forensic Value

LastVisitedPidlMRU reveals application-specific folder access and can connect executables to data locations. Investigators use this data to identify which folders were accessed by specific programs, detect malware accessing sensitive directories, track file dialog operations, correlate applications with data access, prove application interaction with specific folders, and identify suspicious application-folder associations.