CIDSizeMRU

The CIDSizeMRU registry key tracks the size and position of the File Explorer screen.

Overview:

  • Purpose: Tracks file dialogs in Windows Explorer, showing which files were accessed or saved using file picker dialogs.

  • Registry Location:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU

  • Structure:

    • Stores file paths and recent directory usage.

Benefits for DFIR:

  • File Access Evidence: Indicates user interaction with files and directories.

  • Behavioral Analysis: Useful in identifying files that were recently accessed or saved.

How It Works:

  • Logs information about files accessed or saved through common dialog boxes, including:

    • File Path: Most recently accessed directories.

    • Timestamps: Indicates recency of usage.

Tools:

  • Registry Explorer: For manual extraction and analysis.

  • Regripper: Automates parsing of CIDSizeMRU entries.

PreviousApplication Compatibility Cache (Shim Cache)NextStart Menu Run MRUs

Last updated