OpenSavePidlMRU

Overview

Evidence: OpenSavePidlMRU
Description: Enumerate OpenSavePidlMRU
Category: System
Platform: windows
Short Name: opnsvpidmru
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

OpenSavePidlMRU tracks folders and files accessed through Windows common file dialogs (Open/Save), organized by file extension. When users open or save files, Windows records the accessed locations in this registry artifact.

This provides detailed evidence of file operations, showing which folders users navigated to when working with specific file types.

Data Collected

This collector gathers structured data about opensavepidlmru.

OpenSavePidlMRU Data

Field	Description	Example
`KeyPath`	Registry key path	Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU.docx
`LastWriteTime`	Registry key last write time	2023-10-15T14:30:00
`Value`	MRU value name	0
`Username`	User account name	user
`Extension`	File extension	.docx
`Path`	Full path accessed	C:\Users\user\Documents\Confidential\report.docx
`MRUPosition`	Position in MRU list	0
`RegPath`	Path to registry hive	Registry/ntuser.dat

Collection Method

This collector:

Collects user registry hives (ntuser.dat)
Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
For each extension subdirectory, parses MRUListEx
Decodes shell item data using libfwsi
Reconstructs full paths from shell item lists
Orders by MRU position per extension

Forensic Value

OpenSavePidlMRU provides granular evidence of file dialog activity organized by file type. Investigators use this data to identify files accessed via dialogs, track file operations by extension, detect access to sensitive documents, establish file access timelines, prove user interaction with specific files, correlate with application usage, and identify files on disconnected drives.