#####aid_begin
#description: fetch the information from opensavedmrus
#id: aid2112302009
#processtype: query
#category: registry
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  get-bgregistry
#notes: |-
#  1) this key maintains a list of recently opened or saved files via typical windows explorer-style common dialog boxes (i.e. open dialog box and save dialog box) 
#  2) for instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser (including ie and firefox) are maintained. however, documents that are opened or saved via microsoft office programs are not maintained. subkey * contains the full file path to the 10 most recently opened/saved files. other subkeys in opensavemru contain far more entries related to previously opened or saved files (including the 10 most recent ones), which are grouped accordingly to file extension.                
#####aid_end
commands:
- Get-BGRegistry -StartKey "HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" 
- Get-BGRegistry -StartKey "HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU"