Loads the "information on the files recently opened or saved with the Windows Explorer common dialog box" stored in the registry file and information on the files you opened or saved through web browsers and applications. Using this command, you can see files recently opened or saved by the user.


reg-opensave-files [zipcharset=CHARSET] [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameter
Path to the registry file. Using a wildcard (*) in the file name, you can retrieve all files containing a specific string pattern in the file name (e.g. :\data\registry\*.DAT). If you provided the zippath option, input the DAT file path in the ZIP file.
Optional Parameters
Character set to be used to decode the ZIP entry name and comment that are not encoded by UTF-8 encoding. Use the preferred MIME name or aliases registered in the following document:
Path to the ZIP file


The output fields are as follows:

file_pathStringFile path
file_extStringFile extension
file_sizeStringFile volume
access_atDateLast access time
created_atDateCreation time
modified_atDateLast modification time
mft_entry_indexBinaryMFT entry index
ntfs_seqIntegerNTFS sequence
last_writtenDateLast written time
orderIntegerFile order by extension


  1. Retrieve information by providing the file path.

    reg-opensave-files D:\data\registry\NTUSER.DAT
  2. Retrieve information when the zippath option is provided.

    reg-opensave-files zippath=D:\data\ registry\NTUSER.DAT
  3. Sort the order field by file extension.

    reg-opensave-files D:\data\registry\NTUSER.DAT
     | sort file_ext, order