reg-recent-docs
Loads the "information on the files and folders recently opened or executed by the user with Windows Explorer" stored in the registry file. With the loaded data, you can check information on files and folders opened or executed by the user and whether documents and folders have been executed. You can also use it to identify the user's behavior.
Syntax
reg-recent-docs [zipcharset=CHARSET] [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameter
FILE_PATH
- Path to the registry file. Using a wildcard (
*
) in the file name, you can retrieve all files containing a specific string pattern in the file name (e.g.D:\data\registry\*.DAT
). If you provided thezippath
option, input the registry file path in the ZIP file.
Optional Parameter
zipcharset=CHARSET
- Character set to be used to decode the ZIP entry name and comment that are not encoded by UTF-8 encoding. Use the preferred MIME name or aliases registered in the following document: http://www.iana.org/assignments/character-sets/character-sets.xhtml
zippath=ZIPFILE_PATH
- Path to the ZIP file
Description
The output fields are as follows:
Field | Type | Description |
---|---|---|
file_name | String | File name |
file_ext | String | File extension |
last_written | Date | Last written time |
order | Integer | File order by extension |
Usage
-
Retrieve information by providing the file path.
reg-recent-docs D:\data\registry\NTUSER.DAT
-
Retrieve information when the
zippath
option is provided.reg-recent-docs zippath=D:\data\registry.zip registry\NTUSER.DAT
-
Sort the
order
field by file extension.reg-recent-docs D:\data\registry\NTUSER.DAT | sort file_ext, order