OpenSavePidlMRU

Overview

Evidence: OpenSavePidlMRU Description: Enumerate OpenSavePidlMRU Category: Registry Platform: Windows Short Name: opnsvpidmru Is Parsed: Yes - Binary shell items parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

OpenSavePidlMRU tracks folders and files accessed through Windows common file dialogs (Open/Save), organized by file extension. When users open or save files, Windows records the accessed locations in this registry artifact.

This provides detailed evidence of file operations, showing which folders users navigated to when working with specific file types.

Data Collected

Collection Method

This collector:

• Collects user registry hives (ntuser.dat)

• Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*

• For each extension subdirectory, parses MRUListEx

• Decodes shell item data using libfwsi

• Reconstructs full paths from shell item lists

• Orders by MRU position per extension

Usage

OpenSavePidlMRU provides granular evidence of file dialog activity organized by file type. Investigators use this data to identify files accessed via dialogs, track file operations by extension, detect access to sensitive documents, establish file access timelines, prove user interaction with specific files, correlate with application usage, and identify files on disconnected drives.

Known Limitations

• Only tracks file dialog operations

• Organized by extension (separate lists)

• Limited entries per extension

• Binary shell item format

• Can be cleared by privacy tools

Notes

This artifact is organized by file extension, making it easy to focus on specific file types of interest (.docx for documents, .pdf for PDFs, etc.). The MRU order indicates relative recency.