RecentDocs

Overview

Evidence: RecentDocs Description: Enumerate RecentDocs Category: Registry Platform: Windows Short Name: recentdocs Is Parsed: Yes - Binary shell items parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

The RecentDocs registry key tracks files that users have recently opened, organized by file extension. Windows maintains separate MRU lists for each file extension (e.g., .docx, .pdf, .txt) as well as a general list of all recently accessed files.

This artifact preserves evidence of file access even after files are deleted and can reveal which documents and files users were working with.

Data Collected

Collection Method

This collector:

• Collects user registry hives (ntuser.dat)

• Searches for RecentDocs keys:

  • Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs (all files)

  • Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\* (by extension)

• Parses MRUListEx binary data

• Decodes shell item data using libfwsi

• Extracts file names and LNK file references

• Orders by MRU position (most recent first)

Usage

RecentDocs reveals which files users recently accessed and can persist after file deletion. Investigators use this data to identify recently accessed documents, track file access by extension type, detect access to sensitive or classified files, establish document access timelines, prove user interaction with specific files, correlate with LNK files and JumpLists, and identify files of interest that may have been deleted.

Known Limitations

• Limited number of entries per extension

• Can be cleared by user or privacy tools

• Only tracks files opened through Windows Explorer

• Programmatic file access may not be recorded

• Shell item parsing may fail for some entries

Notes

RecentDocs is organized by file extension, making it easy to focus on specific file types (e.g., .pdf for documents, .exe for executables). The MRU position indicates relative recency within each extension.