OpenSavePidlMRU
OpenSavePidlMRU maintains a list of files opened or saved by the user through the Windows common dialog box by any compatible application. It tracks file by extension, including files with no extension.
Analysis
OpenSavePidlMRU is tied to individual user profiles and can be located inside an individual user's NTUSER.DAT hive:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
The following is information is available for each OpenSavePidlMRU entry:
- File Full Path
- File Extension
- MRU position (available per file extension)
The registry key maintains individual sub-keys for each file extension, including a wildcard extension (*) for files of any extension. Each sub-key maintains up to twenty (20) of the most recent files.
As expected of Windows registry timestamps, each OpenSavePidlMRU sub-key maintains its own LastWriteTime. Thus, the LastWriteTime of each sub-key represents the open or save of the file at MRU position 0.
Investigation Considerations
Threat actors may use legitimate GUI applications during the attack lifecycle. If those applications are saving or opening files using the common dialog box, they are likely manifesting here.
For example, threat actors may run disk space analyzers (e.g., WizTree, WinDirStat) on a victim host to dump the full file tree to a CSV file. OpenSavePidlMRU would the full path of the saved file. This key does not maintain the application responsible for saving the file.
Corroborating the OpenSavePidlMRU key with the LastVisitedPidlMRU key would provide more substantive evidence that a particular program opened / saved a specific file. In this scenario, execution artifacts are also your friend.
Programs that don't use the Windows common dialog box will not show up here. An actor using the ntdsutil command line to perform NTDS.DIT theft would be invisible to the host of the availble common dialog keys.