The Windows Forensics Journey — Run MRU (Run Dialog Box Most Recently Used)

When using the “Run” command box (“Winkey+R”) users can directly launch programs or open files/folders. “Run” includes a dropdown list of the last commands executed — as shown in the screenshot below. Those commands are saved in the registry under the “RunMRU” key https://forensafe.com/blogs/runmrukey.html) MRU in that case stands for “Most Recently Used.

Overall, “RunMRU” is saved separately for each Windows user (local/domain) in the following registry location: “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU” which we can access while the operating system is running (online analysis). For an offline analysis we can read the information for the NTUSER.DAT file (“Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU”).

Moreover, each command is saved in a different value and the “MRUList” contains a list of all the commands to show and in what order. Also, each command is saved with a suffix with “\1” — as shown in the screenshot below. We can also clear the “RunMRU” history by removing the keys and values detailed above (https://www.thewindowsclub.com/clear-most-recently-used-mru-list?expand_article=1).

Lastly, “RunMRU” is not the MRU list in Windows there are others like “Microsoft Office MRU” — more on that and others in future writeups. See you in my next writeup ;-) You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru). Also, you can read my other writeups on medium — https://medium.com/@boutnaru. You can find my free eBooks at https://TheLearningJourneyEbooks.com.

#Windows #MRU #MostRecentlyUsed #Run #RunMRU #dfir #Security #infosec #Learning #DevOps #DevSecOps #TheWindowsForensicsJourney