RecentDocs: Uncovering User Activity Through Recently Opened Files
- Feb 24
- 2 min read
When investigating user activity on a Windows system, one of the most valuable forensic artifacts is the RecentDocs registry key. This key maintains a list of recently opened files and folders, allowing analysts to track file interactions, identify potentially suspicious behavior, and even estimate timeframes for when files were accessed.
-------------------------------------------------------------------------------------------------------------
Where is the RecentDocs Key Located?
The RecentDocs key is found in the user-specific registry hive:
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
-------------------------------------------------------------------------------------------------------------
What Data Does RecentDocs Contain?
✅ Last 150 Files Opened (Any Type)
✅ RecentDocs creates subkeys for different file extensions (e.g., .docx, .pdf, .eml), each storing the last 20 files opened of that type.
✅ last 30 folders opened by the user.
✅ MRU (Most Recently Used) Order – Items are stored in a list format, with Item 1 being the most recently accessed.
✅ Potential Web Searches & Downloads – Some browsers and Windows search features may log visited websites and downloads under RecentDocs.
---------------------------------------------------------------------------------------------------------------------------
Understanding RecentDocs Timestamps
The RecentDocs key itself has a last write timestamp, which updates every time a new file is opened. However, individual entries within RecentDocs do not store timestamps—except for the most recently used item in each subkey.
🔹 How This Works:
If you open multiple .docx files, only the most recent one in the .docx subkey will have a timestamp.
Older entries remain in order but do not store exact access times.
Even though older entries lack timestamps, the MRU list order can help estimate time ranges.
---------------------------------------------------------------------------------------------------------------------------
How RecentDocs Helps in Forensic Investigations
🔍 1. Tracking User ActivityRecent
Docs provides insight into what files and folders a user interacted with, helping investigators build a digital footprint.
💾 2. Recovering Deleted Evidence
Even if a file has been deleted, its record in RecentDocs remains until overwritten—allowing analysts to recover evidence of past activity.
🕵️ 3. Identifying Suspicious Behavior
Data Theft: If a user accessed multiple sensitive files before an unauthorized data transfer, it could indicate data exfiltration.
Malware Execution: If ransomware was detected on a system, RecentDocs might reveal which file triggered the infection.
Insider Threats: Analyzing which files were accessed before a breach can help determine whether an employee played a role.
---------------------------------------------------------------------------------------------------------------------------
Final Thoughts: A Simple Yet Powerful Forensic Tool
The RecentDocs registry key is an essential forensic artifact for understanding user interactions with files and folders. By analyzing its MRU lists, subkeys, and timestamps, investigators can track user behavior, uncover deleted evidence, and reconstruct activity timelines.
If you're conducting an investigation, don’t overlook RecentDocs—it could be the key to uncovering what really happened on a system! 🚀
------------------------------------------Dean--------------------------------------------------
Comments