CIDSizeMRU
Overview
Section titled “Overview”Evidence: CIDSizeMRU
Description: Enumerate CIDSizeMRU
Category: System
Platform: windows
Short Name: cidsizemru
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”The CIDSizeMRU registry key tracks file names associated with window size and position preferences in common file dialogs. When users open or save files through applications, Windows remembers the dialog window size and position for each file.
This artifact can provide evidence of file names users have interacted with through file dialogs.
Data Collected
Section titled “Data Collected”This collector gathers structured data about cidsizemru.
CIDSizeMRU Data
Section titled “CIDSizeMRU Data”| Field | Description | Example |
|---|---|---|
KeyPath | Registry key path | Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU |
LastWriteTime | Registry key last write time | 2023-10-15T14:30:00 |
Value | MRU value name | 0 |
Username | User account name | user |
FileName | File name | confidential-report.docx |
MRUPosition | Position in MRU list | 0 |
RegPath | Path to registry hive | Registry/ntuser.dat |
Collection Method
Section titled “Collection Method”This collector:
- Collects user registry hives (ntuser.dat)
- Searches for:
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU - Parses MRUListEx binary data
- Extracts file name strings
- Orders by MRU position
Forensic Value
Section titled “Forensic Value”CIDSizeMRU provides additional evidence of file interaction through dialogs. Investigators use this data to identify files accessed through dialogs, corroborate other file access evidence, detect access to sensitive file names, and supplement OpenSavePidlMRU analysis.