Comment on page
Query the Most Recently Open and Saved File information from the Registry
AID2112302009.YAML
#####aid_begin
#description: fetch the information from opensavedmrus
#id: aid2112302009
#processtype: query
#category: registry
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
# windows 7
# windows 8.*
# windows 10
# windows 11
# windows server 2008 r2
# windows server 2012
# windows server 2012 r2
# windows server 2016
# windows server 2019
#compatibleengine: |-
# powershell 2
# powershell 3
# powershell 4
# powershell 5.*
# powershell 7.*
#bgcommandlist: |-
# get-bgregistry
#notes: |-
# 1) this key maintains a list of recently opened or saved files via typical windows explorer-style common dialog boxes (i.e. open dialog box and save dialog box)
# 2) for instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser (including ie and firefox) are maintained. however, documents that are opened or saved via microsoft office programs are not maintained. subkey * contains the full file path to the 10 most recently opened/saved files. other subkeys in opensavemru contain far more entries related to previously opened or saved files (including the 10 most recent ones), which are grouped accordingly to file extension.
#####aid_end
commands:
- Get-BGRegistry -StartKey "HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU"
- Get-BGRegistry -StartKey "HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU"