The CIDSizeMRU registry key tracks the size and position of the File Explorer screen.
Purpose: Tracks file dialogs in Windows Explorer, showing which files were accessed or saved using file picker dialogs.
Registry Location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Structure:
Stores file paths and recent directory usage.
File Access Evidence: Indicates user interaction with files and directories.
Behavioral Analysis: Useful in identifying files that were recently accessed or saved.
Logs information about files accessed or saved through common dialog boxes, including:
File Path: Most recently accessed directories.
Timestamps: Indicates recency of usage.
Registry Explorer: For manual extraction and analysis.
Regripper: Automates parsing of CIDSizeMRU entries.
Last updated 1 year ago