# OpenSavePidlMRU

## Overview

**Evidence:** OpenSavePidlMRU\
**Description:** Enumerate OpenSavePidlMRU\
**Category:** System\
**Platform:** windows\
**Short Name:** opnsvpidmru\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

OpenSavePidlMRU tracks folders and files accessed through Windows common file dialogs (Open/Save), organized by file extension. When users open or save files, Windows records the accessed locations in this registry artifact.

This provides detailed evidence of file operations, showing which folders users navigated to when working with specific file types.

## Data Collected

This collector gathers structured data about opensavepidlmru.

### OpenSavePidlMRU Data

| Field           | Description                  | Example                                                                          |
| --------------- | ---------------------------- | -------------------------------------------------------------------------------- |
| `KeyPath`       | Registry key path            | Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU.docx |
| `LastWriteTime` | Registry key last write time | 2023-10-15T14:30:00                                                              |
| `Value`         | MRU value name               | 0                                                                                |
| `Username`      | User account name            | user                                                                             |
| `Extension`     | File extension               | .docx                                                                            |
| `Path`          | Full path accessed           | C:\Users\user\Documents\Confidential\report.docx                                 |
| `MRUPosition`   | Position in MRU list         | 0                                                                                |
| `RegPath`       | Path to registry hive        | Registry/ntuser.dat                                                              |

## Collection Method

This collector:

* Collects user registry hives (ntuser.dat)
* Searches for: `Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*`
* For each extension subdirectory, parses MRUListEx
* Decodes shell item data using libfwsi
* Reconstructs full paths from shell item lists
* Orders by MRU position per extension

## Forensic Value

OpenSavePidlMRU provides granular evidence of file dialog activity organized by file type. Investigators use this data to identify files accessed via dialogs, track file operations by extension, detect access to sensitive documents, establish file access timelines, prove user interaction with specific files, correlate with application usage, and identify files on disconnected drives.