Windows MRU (Most Recently Used) Lists

Note

Executive Summary: Most Recently Used (MRU) lists are a collection of Windows Registry keys that act as the user’s “short-term memory.” Designed to enhance user experience by populating drop-down lists, the “Run” dialog, and “Recent Files” menus, MRUs are invaluable to DFIR analysts. Because they reside within the user’s NTUSER.DAT hive, MRU lists provide highly reliable, chronological evidence of intentional human actions, directly linking specific commands and file interactions to a compromised account.

1. Technical Overview

The philosophy behind MRU lists is simple: operating systems must remember past user actions to predict and facilitate future ones. Whenever a user performs a specific action—such as opening a file, typing a command, or mapping a network drive—Windows records this interaction within a dedicated registry key.

These keys often function like a stack or a linked list (typically managed by a value named MRUList or MRUListEx), where the most recent action is pushed to the top.

Artifact Location

The vast majority of critical MRU keys are stored in the user-specific registry hive.

• Hive: NTUSER.DAT (User Profile)
• Implication: Any artifact found here is strictly tied to the Security Identifier (SID) of the user who executed the action, making attribution straightforward.

2. Critical MRU Artifacts for DFIR

Analysts prioritize four specific MRU keys during an investigation, as they reveal direct attacker interaction with the graphical interface or file system.

A. RunMRU (The Execution Ledger)

• Path: Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
• Forensic Value: This key stores every command typed into the Windows “Run” dialog box (Win + R). Threat actors utilizing Living Off The Land (LOLBAS) techniques frequently use the Run dialog to spawn cmd.exe, powershell.exe, or regedit.exe. Finding an encoded PowerShell command or a reverse shell payload in this key is definitive proof of intentional, interactive execution.

B. OpenSavePidlMRU (File Interaction)

• Path: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
• Forensic Value: Organized by file extension (e.g., .doc, .pdf, .zip), this key logs files that were opened or saved using the standard Windows common dialog boxes. It is crucial for proving data staging, the opening of malicious attachments, or the saving of exfiltrated data archives.

C. RecentDocs

• Path: Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
• Forensic Value: Similar to OpenSaveMRU, this key tracks recently accessed files and folders, populating the “Recent Documents” menu. It provides a macro-level view of the user’s data manipulation timeline.

D. TypedPaths (Reconnaissance & Lateral Movement)

• Path: Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
• Forensic Value: Contains the exact strings typed directly into the Windows Explorer address bar. If an attacker types a UNC path like \\SRV-FINANCE\C$ to access an administrative share during lateral movement reconnaissance, the string will be immortalized here.

3. Forensic Strategy and Triage

MRU lists are rarely analyzed in isolation. They serve as the focal point for proving human intent before pivoting to systemic execution artifacts.

1. Prove Intent: Unlike Amcache which logs binary metadata passively, a command found in RunMRU proves a human (or an interactive remote desktop session) consciously typed and executed a string.
2. Reconstruct the Timeline: MRU lists are chronologically ordered via their MRUListEx values. Furthermore, the Last Write Time of the parent registry key indicates the exact moment the most recent action occurred, establishing a precise “Time of Activity.”
3. Cross-Artifact Correlation:
   • Execution Pivot: If a suspicious command is found in RunMRU, pivot to Prefetch (.pf) Files andEvent ID 4688 at that exact timestamp to determine if the command successfully spawned child processes.
   • File Access Pivot: If a sensitive file is listed in OpenSaveMRU, search for corresponding LNK Files or Jumplists to extract further metadata (such as the volume serial number or MAC address of the source drive).
   • Navigation Pivot: Correlate TypedPaths with Shellbags to map out the attacker’s complete directory browsing history.

4. Recommended Tooling

Analyzing raw registry hives manually is prone to misinterpreting the binary MRUListEx ordering structures. DFIR teams rely on automated parsing utilities.

Registry Explorer

Developed by Eric Zimmerman, this GUI tool is essential for navigating exported registry hives. It includes built-in “Bookmarks” that automatically locate, parse, and chronologically sort all common MRU keys.

RegRipper

The industry-standard command-line tool. Utilizing specific plugins (such as runmru, opensavemru, and recentdocs), analysts can extract MRU data rapidly during mass triage operations.

---

References & Further Reading

• Magnet Forensics: What is MRU?
• SANS Institute: Windows Forensic Analysis
• Related Artifact: LNK Files and Shortcut Analysis
• Related Artifact: Tracing Folder Navigation with Shellbags