Windows Registry Artifacts: Insights into User Activity

------------------------------------------------------------------------------------------------------

1. Search History:

The "WordWheelQuery" registry key is a valuable artifact found in the Windows registry of Windows 7 to Windows 10 systems. It stores information about keywords searched for from the START menu bar, providing insights into user search behavior and interests.

NTUSER.DAT Hive.

NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\WorkWheelQuery

------------------------------------------------------------------------------------------------------

2. Typed Path:

This key will show when you have manually typed a path into the Start menu or into the Explorer bar. This key would be useful in a situation where you are trying to show that the user had specific knowledge of a location.

NTUSER.DAT hive.

NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\TypedPaths

------------------------------------------------------------------------------------------------------

3. Recent Docs:

To understand this artifact in-depth check out the below article:

------------------------------------------------------------------------------------------------------

4. Microsoft Office Recent Docs:

To understand this artifact in-depth check out the below article:

------------------------------------------------------------------------------------------------------

5. Last Visited MRU/ Open Save MRU

When you "save or open a file,"

Have you ever noticed that it might remember the location you previously saved or opened a file?

Have you noticed that when you save or open a file, there is a drop-down dialog box that remembers your previous save or open locations or files that have been opened?

     (i) Open Save MRU

It acts as a repository for a history of files accessed or saved by users, offering a panoramic view of their digital footprint.

NTUSER.Dat Hive:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\

Through CMD:

reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\

    (ii) Last Visited MRU

The Last Visited MRU (Most Recently Used) artifact tracks the specific executable files used by an application to open files documented in the OpenSaveMRU key. Additionally, each value within this artifact also records the directory location for the last file accessed by that application.

NTUSER.Dat Hive:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\

Through CMD:

reg query

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

------------------------------------------------------------------------------------------------------

6. Last Commands executed:

NTUSER.DAT Hive:

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU  

Command:

reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

-------------------------------------------------------------------------------------------------------

7. Trusted Office Documents

To understand this artifact in-depth check out the below article:

------------------------------------------------------------------------------------------------------

8.  Installed Applications

To understand this artifact in-depth check out the below article:

-----------------------------------------------Dean--------------------------------------------------------

To Learn In deep check out below blog