Query the Registry for the most common MRU information for All User Hives, including offline users
AID2201202337.YAML
#####aid_begin
#description: registry scan for mru (most recently run) info for all users
#id: aid2201202337
#processtype: query
#category: registry
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
# windows 7
# windows 8.*
# windows 10
# windows 11
# windows server 2008 r2
# windows server 2012
# windows server 2012 r2
# windows server 2016
# windows server 2019
#compatibleengine: |-
# powershell 2
# powershell 3
# powershell 4
# powershell 5.*
# powershell 7.*
#bgcommandlist: |-
# invoke-loadallprofilehives
# get-bgloadedreghives
# get-bgmruactivityview
# invoke-bgunloadallprofilehives
#notes: |-
# 1) load all registry hives for all users
# 2) query all loaded registry hives
# 3) query the most populated mru registry keys
# o 'hkey_current_user\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedpidlmru'
# o 'hkey_current_user\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedpidlmrulegacy'
# o 'hkey_current_user\software\microsoft\windows\currentversion\explorer\comdlg32\firstfolder'
# o 'hkey_current_user\software\microsoft\windows\currentversion\explorer\runmru'
# o 'hkey_current_user\software\ivosoft\classicstartmenu\mru'
# o 'hkey_current_user\software\microsoft\windows\currentversion\explorer\recentdocs'
# 4) unload all registry hives that were loaded on the first call
#####aid_end
commands:
- Invoke-LoadAllProfileHives
- Get-BGLoadedRegHives
- Get-BGMRUActivityView
postcommands:
- Invoke-BGUnLoadAllProfileHivesPreviousQuery the Registry for User-Logon, and Startup ScriptsNextQuery the Registry for any user, using the SysInternals Tools
Last updated