RunMRU
RunMRU maintains a list of the commands executed or file paths opened via the Windows Run dialog box. This is accomplished with the Windows + R shortcut, or right click on the Start Menu > Run.
Analysis
RunMRU is tied to individual user profiles and can be located inside an individual user's NTUSER.DAT hive:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
The following is information is generally available for each RunMRU key
- Command executed or file path / UNC opened
- MRU Position
The LastWriteTime of the RunMRU key represents the most recently executed command (i.e., MRU position 0).