When investigating user activity on a Windows system, knowing what files were accessed and when can provide critical insights. While Windows keeps a list of recently opened files in the RecentDocs registry key, Microsoft Office maintains an even more detailed record called File MRU (Most Recently Used). This registry key tracks documents, spreadsheets, and presentations opened in Office applications—often storing more history than RecentDocs.
-------------------------------------------------------------------------------------------------------------
Where Does Microsoft Office Store Recent Files?
Each version of Microsoft Office stores a File MRU list, which logs files opened in Word, Excel, PowerPoint, and other Office applications. The registry location varies based on the Office version and user account type:
For older Office versions (2013, 2016, 2019, Microsoft 365):
NTUSER\Software\Microsoft\Office\<version>\[App]\File MRU(Office 2016, 2019, and Microsoft 365 all use "16.0" because they share the same code base.)
For Microsoft 365 tied to a personal Microsoft account:
NTUSER\Software\Microsoft\Office\<version>\User MRU\LiveID_####\File MRU
For Microsoft 365 accounts tied to an organization (Azure Active Directory):
NTUSER\Software\Microsoft\Office\<version>\User MRU\ADAL\File MRUAlongside File MRU, Office also maintains a Place MRU key, which tracks folder locations accessed by the user.
-------------------------------------------------------------------------------------------------------------
What Information Can You Find in File MRU?
Each entry in File MRU contains:
✅ Full File Path – Unlike RecentDocs (which only stores filenames), File MRU lists the complete file location.
✅ Last Accessed Timestamp – Stored in Windows 64-bit FILETIME format (Big-Endian).
✅ Order of Access – The most recently opened document is stored as Item 1, followed by older entries.
✅ Up to 100+ Entries – Newer Office versions keep a longer history.
This is particularly useful because it allows forensic analysts to see exactly when a file was last opened and where it was stored (local drive, USB, network share, etc.).
-------------------------------------------------------------------------------------------------------------
Tracking More Than Just File Open Times: Reading Locations
Starting with Office 2013, Microsoft introduced the Reading Locations registry key, which remembers where a user left off in a document.
This is the feature behind the “Welcome back! Pick up where you left off” message when reopening a Word document.
Registry Location for Reading Locations
NTUSER\Software\Microsoft\Office\<version>\Word\Reading Locations
How Can This Data Be Used in Investigations?
Forensic analysts and cybersecurity professionals can use File MRU and Reading Locations to:
🔍 Track User Activity – Identify recently accessed files and determine if unauthorized documents were viewed.
💾 Recover Deleted Evidence – Even if a file is deleted, its MRU entry remains in the registry until overwritten.
📂 Identify Storage Locations – Determine if files were accessed from USB drives, network shares, or cloud folders.
⏳ Estimate Document Usage Duration – By comparing the File MRU (last opened time) with Reading Locations (last closed time), you can estimate how long a file was in use.
Final Thoughts
When conducting an investigation, don’t just stop at RecentDocs—dig deeper into the Microsoft Office registry keys for a clearer picture of file usage! 🚀
--------------------------------------------Dean----------------------------------------------------------
Comments