LastVisitedPidlMRU
LastVisitedPidlMRU maintains a list of the last directory "visited" by each application. Applications use the key's information to maintain the "default" directory the user may want to open from or save to.
Effectively, this key is not only an artifact of file access but also an artifact of application execution.
Analysis
LastVisitedPidlMRU is tied to individual user profiles and can be located inside an individual user's NTUSER.DAT hive. It can be found in two possible registry keys:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRUNTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy
The following information is available for each LastVisitedPidlMRU entry:
- Executable Name (full path is not available)
- Full path of last visited directory
- MRU position
The LastWriteTime of the LastVisitedPidlMRU key represents the most recent application open / save activity (i.e, MRU position 0)
Investigation Considerations
Threat actors may use legitimate GUI applications during the attack lifecycle. If those applications are saving or opening files using the common dialog box, they will likely show up in this key.
For example, threat actors may run disk space analyzers (e.g., WizTree, WinDirStat) on a victim host to dump the full file tree to a CSV file. LastVisitedPidlMRU would show the responsible application and the destination directory.
Note, this key does not maintain the name of the file—only the directory.
Corroborating the LastVisitedPidlMRU key with the OpenSavePidlMRU key would provide more substantive evidence that a particular program opened or saved a specific file. Other user activity artifacts may be fruitful as well, such as RecentDocs.
Programs that don't use the Windows common dialog box will not show up here. An actor using the ntdsutil command line to perform NTDS.DIT theft would be invisible to the host of the available common dialog keys.