RecentDocs
Overview
Evidence: RecentDocs Description: Enumerate RecentDocs Category: System Platform: windows Short Name: recentdocs Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
The RecentDocs registry key tracks files that users have recently opened, organized by file extension. Windows maintains separate MRU lists for each file extension (e.g., .docx, .pdf, .txt) as well as a general list of all recently accessed files.
This artifact preserves evidence of file access even after files are deleted and can reveal which documents and files users were working with.
Data Collected
This collector gathers structured data about recentdocs.
RecentDocs Data
KeyPath
Registry key path
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs.docx
LastWriteTime
Registry key last write time
2023-10-15T14:30:00
Value
MRU value name
0
Username
User account name
user
Extension
File extension
.docx
FileName
File name
confidential-report.docx
LNKName
Associated LNK file path
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\confidential-report.lnk
MRUPosition
Position in MRU list
0
RegPath
Path to registry hive
Registry/ntuser.dat
Collection Method
This collector:
Collects user registry hives (ntuser.dat)
Searches for RecentDocs keys:
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs(all files)Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\*(by extension)
Parses MRUListEx binary data
Decodes shell item data using libfwsi
Extracts file names and LNK file references
Orders by MRU position (most recent first)
Forensic Value
RecentDocs reveals which files users recently accessed and can persist after file deletion. Investigators use this data to identify recently accessed documents, track file access by extension type, detect access to sensitive or classified files, establish document access timelines, prove user interaction with specific files, correlate with LNK files and JumpLists, and identify files of interest that may have been deleted.
Last updated
Was this helpful?

