RunMRU
Overview
Section titled “Overview”Evidence: RunMRU
Description: Enumerate RunMRU
Category: System
Platform: windows
Short Name: runmru
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”The Windows Run dialog (launched with Win+R) maintains a history of commands that users have typed and executed. This MRU (Most Recently Used) list is stored in the registry and preserves evidence of command execution, file paths, and applications launched.
Run dialog history can reveal sophisticated user knowledge, administrative commands, malware execution, and lateral movement activities.
Data Collected
Section titled “Data Collected”This collector gathers structured data about runmru.
RunMRU Data
Section titled “RunMRU Data”| Field | Description | Example |
|---|---|---|
KeyPath | Registry key path | Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU |
LastWriteTime | Registry key last write time | 2023-10-15T14:30:00 |
Value | MRU value name | a |
Username | User account name | user |
FileName | Command or path entered | cmd.exe /c powershell.exe -enc … |
MRUPosition | Position in MRU list | 0 |
RegPath | Path to registry hive | Registry/ntuser.dat |
Collection Method
Section titled “Collection Method”This collector:
- Collects user registry hives (ntuser.dat)
- Searches for:
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU - Parses MRUList string to determine access order
- Extracts command strings from registry values
- Orders by MRU position (most recent first)
Forensic Value
Section titled “Forensic Value”Run dialog history reveals commands users have executed and can indicate administrative activity or malicious behavior. Investigators use this data to identify PowerShell or cmd.exe execution, detect lateral movement commands, track administrative tool usage, identify malware execution, prove user knowledge of specific commands, detect privilege escalation attempts, and correlate with process execution evidence.