LastVisitedPidlMRU

Overview

Evidence: LastVisitedPidlMRU
Description: Enumerate LastVisitedPidlMRU
Category: System
Platform: windows
Short Name: lstvstpidmru
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

LastVisitedPidlMRU tracks which folder a user last visited when using a file open/save dialog for each application. This registry artifact creates an association between executables and the folders users accessed while using those applications.

This can reveal which folders users accessed with specific programs, including applications that may have been deleted or are suspicious.

Data Collected

This collector gathers structured data about lastvisitedpidlmru.

LastVisitedPidlMRU Data

Field	Description	Example
`KeyPath`	Registry key path	Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
`LastWriteTime`	Registry key last write time	2023-10-15T14:30:00
`Value`	MRU value name	0
`Username`	User account name	user
`Path`	Folder path accessed	C:\Users\user\Documents\Confidential
`MRUPosition`	Position in MRU list	0
`RegPath`	Path to registry hive	Registry/ntuser.dat

Collection Method

This collector:

Collects user registry hives (ntuser.dat)
Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
Parses MRUListEx binary data
Decodes shell item list data using libfwsi
Extracts folder paths and application associations
Orders by MRU position

Forensic Value

LastVisitedPidlMRU reveals application-specific folder access and can connect executables to data locations. Investigators use this data to identify which folders were accessed by specific programs, detect malware accessing sensitive directories, track file dialog operations, correlate applications with data access, prove application interaction with specific folders, and identify suspicious application-folder associations.