OpenSavePidlMRU
Overview
Evidence: OpenSavePidlMRU Description: Enumerate OpenSavePidlMRU Category: System Platform: windows Short Name: opnsvpidmru Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
OpenSavePidlMRU tracks folders and files accessed through Windows common file dialogs (Open/Save), organized by file extension. When users open or save files, Windows records the accessed locations in this registry artifact.
This provides detailed evidence of file operations, showing which folders users navigated to when working with specific file types.
Data Collected
This collector gathers structured data about opensavepidlmru.
OpenSavePidlMRU Data
KeyPath
Registry key path
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU.docx
LastWriteTime
Registry key last write time
2023-10-15T14:30:00
Value
MRU value name
0
Username
User account name
user
Extension
File extension
.docx
Path
Full path accessed
C:\Users\user\Documents\Confidential\report.docx
MRUPosition
Position in MRU list
0
RegPath
Path to registry hive
Registry/ntuser.dat
Collection Method
This collector:
Collects user registry hives (ntuser.dat)
Searches for:
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*For each extension subdirectory, parses MRUListEx
Decodes shell item data using libfwsi
Reconstructs full paths from shell item lists
Orders by MRU position per extension
Forensic Value
OpenSavePidlMRU provides granular evidence of file dialog activity organized by file type. Investigators use this data to identify files accessed via dialogs, track file operations by extension, detect access to sensitive documents, establish file access timelines, prove user interaction with specific files, correlate with application usage, and identify files on disconnected drives.
Last updated
Was this helpful?