reg-recent-docs
Retrieves a list of recently opened files from an NTUSER registry hive file. You can analyze the RecentDocs history recorded when files are opened in Windows Explorer.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Licensed command |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
Options
zippath=STR- Path to the ZIP file containing the registry hive file. When specified, reads the file matching
PATHfrom inside the ZIP archive. zipcharset=STR- Encoding for ZIP entry names (default:
utf-8)
Target
PATH- NTUSER.DAT registry hive file path. You can use a wildcard (
*) to specify multiple files.
Output fields
| Field | Type | Description |
|---|---|---|
| _file | string | Original file name |
| file_name | string | Name of the recently opened file |
| file_ext | string | File extension. * for the global list without extension grouping |
| last_written | timestamp | Last write time of the registry key |
| order | integer | Order in the MRU (Most Recently Used) list. 0 is the most recent. |
Error codes
Parse errors
N/A
Runtime errors
N/A
Description
The reg-recent-docs command parses entries under the Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs key in an NTUSER.DAT registry hive file. This key records the history of files the user opened in Windows Explorer, organized into subkeys by file extension.
The file_ext field indicates the extension group the entry belongs to. Entries directly under the RecentDocs key record the overall recent documents without extension grouping; in this case, the file_ext value is set to *. The order field represents the position in the MRU (Most Recently Used) list; a smaller value means more recently opened.
In forensic analysis, the NTUSER.DAT file is typically located at C:\Users\{username}\NTUSER.DAT.
Examples
-
Retrieving recent document history from an NTUSER.DAT file
reg-recent-docs /opt/logpresso/evidence/NTUSER.DATRetrieves all recent document history from the specified NTUSER.DAT file.
-
Retrieving recent document history from an NTUSER.DAT file inside a ZIP archive
reg-recent-docs zippath=/opt/logpresso/evidence/registry.zip NTUSER.DATRetrieves recent document history from the NTUSER.DAT file inside a ZIP archive.
-
Retrieving the overall recent document list in MRU order
reg-recent-docs /opt/logpresso/evidence/NTUSER.DAT | search file_ext == "*" | sort orderRetrieves the overall recent document list (without extension grouping) in MRU order.
-
Retrieving recent document statistics by file extension
reg-recent-docs /opt/logpresso/evidence/NTUSER.DAT | search file_ext != "*" | stats count by file_ext | sort -countAggregates the number of recently opened files by extension.