RunMRU

Overview

Evidence: RunMRU Description: Enumerate RunMRU Category: Registry Platform: Windows Short Name: runmru Is Parsed: Yes - MRU data parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

The Windows Run dialog (launched with Win+R) maintains a history of commands that users have typed and executed. This MRU (Most Recently Used) list is stored in the registry and preserves evidence of command execution, file paths, and applications launched.

Run dialog history can reveal sophisticated user knowledge, administrative commands, malware execution, and lateral movement activities.

Data Collected

Collection Method

This collector:

• Collects user registry hives (ntuser.dat)

• Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

• Parses MRUList string to determine access order

• Extracts command strings from registry values

• Orders by MRU position (most recent first)

Usage

Run dialog history reveals commands users have executed and can indicate administrative activity or malicious behavior. Investigators use this data to identify PowerShell or cmd.exe execution, detect lateral movement commands, track administrative tool usage, identify malware execution, prove user knowledge of specific commands, detect privilege escalation attempts, and correlate with process execution evidence.

Known Limitations

• Only tracks commands typed in Run dialog

• Limited number of entries (typically ~26)

• Can be cleared by user or privacy tools

• Doesn't capture commands run from other sources

• Trailing \1 characters indicate command was executed

Notes

The presence of PowerShell commands, encoded commands, or network paths in RunMRU can indicate sophisticated user activity or compromise. Commands ending with "\1" were actually executed, while those without may have been typed but cancelled