RunMRU

Overview

Evidence: RunMRU Description: Enumerate RunMRU Category: System Platform: windows Short Name: runmru Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The Windows Run dialog (launched with Win+R) maintains a history of commands that users have typed and executed. This MRU (Most Recently Used) list is stored in the registry and preserves evidence of command execution, file paths, and applications launched.

Run dialog history can reveal sophisticated user knowledge, administrative commands, malware execution, and lateral movement activities.

Data Collected

This collector gathers structured data about runmru.

RunMRU Data

Field

Description

Example

KeyPath

Registry key path

Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

LastWriteTime

Registry key last write time

2023-10-15T14:30:00

Value

MRU value name

Username

User account name

user

FileName

Command or path entered

cmd.exe /c powershell.exe -enc ...

MRUPosition

Position in MRU list

RegPath

Path to registry hive

Registry/ntuser.dat

Collection Method

This collector:

Collects user registry hives (ntuser.dat)
Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Parses MRUList string to determine access order
Extracts command strings from registry values
Orders by MRU position (most recent first)

Forensic Value

Run dialog history reveals commands users have executed and can indicate administrative activity or malicious behavior. Investigators use this data to identify PowerShell or cmd.exe execution, detect lateral movement commands, track administrative tool usage, identify malware execution, prove user knowledge of specific commands, detect privilege escalation attempts, and correlate with process execution evidence.

PreviousRogueKiller Reports NextSAM Collector

Last updated 3 days ago

Was this helpful?