RunMRU

The RunMRU (Run Most Recently Used) registry key is a critical component within the Windows operating system that tracks commands executed via the "Run" dialog box, which is accessed through the Start Menu or by pressing Windows Key + R. This feature provides a convenient way for users to launch programs, open files, and execute commands quickly. From a forensic perspective, the RunMRU key offers valuable insights into user behavior, specifically regarding program execution and system interaction.

Location of RunMRU Data

RunMRU data is stored in the NTUSER.DAT hive of a user's profile, under the following path:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

This registry key contains values that represent each command entered into the Run dialog box by the user. The NTUSER.DAT file is user-specific, meaning that RunMRU entries are unique to each user account on the system.

Structure and Interpretation of RunMRU Entries

Values: Each value under the RunMRU key corresponds to a command that was executed. These values are typically named with single letters (e.g., a, b, c, ...), reflecting the order in which the commands were executed, with a being the most recent.
MRUList: The MRUList value within the RunMRU key keeps track of the order of execution. It is a string that arranges the value names (a, b, c, ...) in the order they were accessed, with the first character representing the most recently used command.
Encoding: RunMRU entries are stored in plain text, making them easily readable. This straightforward encoding facilitates quick analysis but also means that sensitive or revealing commands are not obscured.

Forensic Importance of RunMRU

Program Execution History: RunMRU provides a timeline of executed commands, offering insights into user actions before or after an event of interest. This can be crucial in understanding the sequence of activities on a system.
Malicious Activity: Examination of RunMRU entries can reveal commands or programs indicative of malicious activity, such as the execution of malware, access to system configuration settings, or use of tools commonly associated with unauthorized activities.
Artifact Correlation: RunMRU data can be correlated with other forensic artifacts, such as Prefetch files, Event Logs, and command line history, to build a comprehensive picture of user actions and system usage.

Extracting and Analyzing RunMRU Data

Accessing NTUSER.DAT: Use forensic tools to load the NTUSER.DAT hive from a user's profile. This often requires accessing the file from a forensic image or backup, especially if analyzing a system post-incident.
Navigating to RunMRU: Locate the RunMRU key within the loaded hive. Forensic software may provide a user-friendly interface for navigating the registry structure.
Documenting Commands: Record the values found within the RunMRU key, noting the order indicated by the MRUList value. Pay special attention to unusual or unexpected commands.
Analysis Tools: Utilize forensic analysis tools that can automatically parse and present RunMRU data, streamlining the extraction process. Tools like RegRipper are particularly useful for this purpose.
Contextual Analysis: Consider the context of each command within the broader scope of the user's typical behavior and other system events. This contextual analysis can help differentiate between benign and potentially malicious activities.

PreviousLast Visited MRU NextMUI Cache

Last updated 1 year ago

Was this helpful?

Location of RunMRU Data

RunMRU data is stored in the NTUSER.DAT hive of a user's profile, under the following path:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Structure and Interpretation of RunMRU Entries

Values: Each value under the RunMRU key corresponds to a command that was executed. These values are typically named with single letters (e.g., a, b, c, ...), reflecting the order in which the commands were executed, with a being the most recent.

MRUList: The MRUList value within the RunMRU key keeps track of the order of execution. It is a string that arranges the value names (a, b, c, ...) in the order they were accessed, with the first character representing the most recently used command.

Encoding: RunMRU entries are stored in plain text, making them easily readable. This straightforward encoding facilitates quick analysis but also means that sensitive or revealing commands are not obscured.

Forensic Importance of RunMRU

Program Execution History: RunMRU provides a timeline of executed commands, offering insights into user actions before or after an event of interest. This can be crucial in understanding the sequence of activities on a system.

Malicious Activity: Examination of RunMRU entries can reveal commands or programs indicative of malicious activity, such as the execution of malware, access to system configuration settings, or use of tools commonly associated with unauthorized activities.

Artifact Correlation: RunMRU data can be correlated with other forensic artifacts, such as Prefetch files, Event Logs, and command line history, to build a comprehensive picture of user actions and system usage.

Extracting and Analyzing RunMRU Data

Accessing NTUSER.DAT: Use forensic tools to load the NTUSER.DAT hive from a user's profile. This often requires accessing the file from a forensic image or backup, especially if analyzing a system post-incident.

Navigating to RunMRU: Locate the RunMRU key within the loaded hive. Forensic software may provide a user-friendly interface for navigating the registry structure.

Documenting Commands: Record the values found within the RunMRU key, noting the order indicated by the MRUList value. Pay special attention to unusual or unexpected commands.

Analysis Tools: Utilize forensic analysis tools that can automatically parse and present RunMRU data, streamlining the extraction process. Tools like RegRipper are particularly useful for this purpose.

Contextual Analysis: Consider the context of each command within the broader scope of the user's typical behavior and other system events. This contextual analysis can help differentiate between benign and potentially malicious activities.