In digital forensic examinations of Windows systems, analysts frequently observe that applications that leverage the Common File Dialog interface persistently retain the most recent directory locations used for file open and save operations. These same dialogs routinely populate MRU (Most Recently Used) dropdown lists with filenames and full paths of previously accessed or created files, stratified by extension type. This valuable artifactual data is persisted within the Common Dialog registry keys under the user’s NTUSER.DAT hive.
Windows exposes a robust suite of shared system libraries to developers, most notably the Common Dialog Box Library. As documented by Microsoft, “The Common Dialog Box Library contains a set of dialog boxes for performing common application tasks, such as opening files, choosing color values, and printing documents. The common dialog boxes allow you to implement a consistent approach to your application’s user interface.” These registry entries are of particular forensic significance because they operate in a cross-application manner, capturing activity across a wide spectrum of software—including web browsers, productivity suites, encryption utilities, and countless third-party applications that invoke the standard Common Item Dialog or legacy Common Dialog APIs.
Owing to the pervasive adoption of these standardized dialog controls, investigators gain centralized visibility into substantial volumes of user activity that would otherwise be fragmented across disparate application-specific logs. Parsing these keys enables the recovery of full file paths for documents opened or saved by the subject user, the specific applications involved, and associated temporal metadata derived from shell item structures.
To extract this intelligence, examiners should target the following primary keys within the user’s NTUSER.DAT registry hive (applicable to Windows Vista and later versions):
- NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
- NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
- NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy
These values store binary PIDL (Pointer to ID List) data, which forensic tools decode into human-readable paths, application executables, and MRU ordering. Note that while highly effective, these artifacts are generated only by applications utilizing the common dialog framework; modern UWP/Store apps and those employing fully custom interfaces may bypass them, necessitating correlation with complementary sources such as ShellBags, RecentDocs, and UserAssist entries. Pre-Vista systems utilized the non-PIDL variants (OpenSaveMRU and LastVisitedMRU).
In this illustrative example, the Microsoft Office Excel application is shown invoking the standard Common File Dialog for a “Save As” operation. The dialog has automatically defaulted to the user’s This PC > Documents folder. This last-visited directory information is recorded in the LastVisitedPidlMRU key (and its legacy counterpart) within the user’s NTUSER.DAT hive. Forensic examiners value this artifact because it reflects the per-application “last used folder” memory maintained by the Common Dialog Box Library — a convenience feature that consistently returns the user to their preferred working directory for each application.
Additionally, the dropdown list beneath the “File name” field is dynamically populated from the OpenSavePidlMRU key. In this instance, the entries are exclusively .xlsx files, demonstrating that the Common Dialog MRU mechanisms maintain separate lists organized by file extension (with a wildcard * subkey for unclassified types). Of significant forensic utility is the fact that these entries frequently contain fully qualified paths rather than simple filenames, enabling investigators to identify specific directories and folder structures the user has actively interacted with during file open and save operations.
When parsed, the binary PIDL structures within these keys can yield not only the complete file paths and MRU ordering but also linkage to the responsible application, providing a rich, cross-application chronology of document-related user activity that complements other Windows artifacts such as ShellBags, LNK files, and RecentDocs.
The OpenSavePidlMRU key (previously OpenSaveMRU in Windows XP) constitutes a rich forensic artifact that records detailed evidence of files opened or saved by the user through the Common File Dialog interface. Analogous to the RecentDocs key, it structures data according to file extension, resulting in potentially numerous subkeys—each corresponding to a distinct file type encountered during open or save operations. This organization holds considerable evidentiary value; for example, the presence of a ps1 subkey may indicate interaction with PowerShell scripts, a pst subkey can reveal engagement with email archives, and an exe subkey may document the execution or inspection of potentially malicious binaries. A notable exception is the wildcard * subkey, which maintains the most recent twenty (20) files of any extension (including files with no extension) processed through common open/save dialogs.
While manual traversal of each subkey is possible, it is inefficient. Registry Explorer’s dedicated “ComDlg32 OpenSavePidlMRU” plugin aggregates all subkey data into a unified, filterable table. Analysts can efficiently query by specific file extensions, filenames, full paths, or temporal indicators. Each extension-specific subkey maintains its own independent Most Recently Used (MRU) list along with a LastWrite timestamp on the subkey itself. As with many MRU-based registry artifacts, individual value-level timestamps are absent; however, the MRU ordering within each subkey allows the most recently accessed item to be reliably correlated with the subkey’s LastWrite time. The Registry Explorer plugin automates this correlation, significantly streamlining analysis and enabling rapid identification of the most recent file activity per file type.
When decoded, the binary PIDL structures within these entries provide fully qualified paths, application context, and chronological sequencing that greatly enhance the reconstruction of user document interaction timelines.
The LastVisitedPidlMRU key, while structurally simpler than its OpenSavePidlMRU counterpart, is frequently underappreciated or misinterpreted in digital forensic analysis. This key is the mechanism by which the Common Dialog Box Library enables applications to “remember” and suggest the most recently used directory for subsequent file open or save operations. It effectively functions as a per-application record of the default (last visited) folder, providing examiners with two highly valuable classes of intelligence: (1) the specific executable applications invoked by the user, and (2) the precise file system locations with which those applications last interacted.
This artifact frequently surfaces significant findings, such as previously unknown removable media volumes, non-standard directories, or concealed storage locations that may contain relevant data. In the example below, the entries reveal several noteworthy patterns: the Chrome browser repeatedly accessing the user’s Pictures folder (suggesting download or save activity), execution of image-editing applications such as Paint.NET and Pixillion (indicative of photo manipulation or processing), and multiple forensic tools—including Cybertriage—interacting with removable drives (D:\ and E:). The latter pattern is consistent with analysis conducted on a dedicated forensic workstation.
Forensic practitioners should examine both of the following locations within the user’s NTUSER.DAT hive, as the specific Win32 API functions employed by an application (e.g., GetOpenFileName, GetSaveFileName, or newer Common Item Dialog interfaces) determine which key receives the data:
- NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
- NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy
Each value within these keys stores binary PIDL (Pointer to ID List) data that, when properly decoded, yields the full path to the last visited folder, the associated application executable, and MRU ordering. When correlated with other artifacts such as ShellBags, UserAssist, and Amcache, this key significantly strengthens timeline reconstruction and user activity attribution.
Shell items (formally Shell Item ID Lists or PIDLs) represent a core Windows data structure employed extensively by the operating system to encapsulate rich metadata about files, folders, and other shell namespace objects. Beginning with Windows Vista, Microsoft transitioned to embedding these structured shell item formats within the OpenSavePidlMRU and LastVisitedPidlMRU (including Legacy) keys. Consequently, these Common Dialog artifacts contain substantially more forensic intelligence than simple filenames and paths.
When decoded, the embedded shell items routinely expose critical metadata such as creation, modification, and access timestamps, file sizes, and Master File Table (MFT) record identifiers (including sequence numbers). This information often persists even after the referenced file has been deleted, securely wiped, or resided on removable media that is no longer attached to the system. The preserved MFT metadata is particularly powerful: it enables precise correlation with the file system’s $MFT to identify the exact file record or to support partial recovery of deleted file remnants through carving or slack space analysis.
As an additional analytical benefit, shell items frequently include hierarchical metadata for each parent folder in the full path. This permits forensic examiners to reconstruct detailed directory structures, map user navigation patterns, and identify specific folder characteristics (such as creation times and attributes) that would otherwise be difficult to establish, especially in cases involving long-deleted files or detached removable media. When parsed with tools such as Registry Explorer or custom shell item parsers, these artifacts significantly enhance timeline accuracy and provide high-value context for user activity reconstruction.
In summary, the Common Dialog registry keys reside under the ComDlg32 branch within each user’s NTUSER.DAT hive. Collectively, these artifacts provide a comprehensive record of files opened and saved via the standard Windows Common File Dialog interface. They capture fully qualified paths along with embedded shell item (PIDL) data, which includes rich metadata such as file and folder timestamps, sizes, and MFT record identifiers.
By examining the LastWrite timestamps on the file extension-specific subkeys under OpenSavePidlMRU, examiners can determine when the most recent file of each type was opened or saved. Complementing this, the LastVisitedPidlMRU and LastVisitedPidlMRULegacy keys reveal the specific applications executed by the user and the precise file system locations (folders) with which those applications last interacted.
While these keys address a wide range of investigative questions, their greatest evidentiary value often lies in surfacing information about deleted files, files residing on detached removable media, or data stored in cloud-synced folders to which the examiner may lack direct access. When combined with supporting artifacts such as ShellBags, LNK files, and $MFT analysis, the ComDlg32 keys significantly strengthen timeline reconstruction and user activity attribution in digital forensic examinations.
Post a Comment