dissect.target.plugins.os.windows.regf.mru#

Module Contents#

Classes#

MRUPlugin

Return MRU data stored at various registry keys.

Functions#

Attributes#

dissect.target.plugins.os.windows.regf.mru.UserRegistryRecordDescriptor#
dissect.target.plugins.os.windows.regf.mru.RunMRURecord#
dissect.target.plugins.os.windows.regf.mru.RecentDocsRecord#
dissect.target.plugins.os.windows.regf.mru.OpenSaveMRURecord#
dissect.target.plugins.os.windows.regf.mru.LastVisitedMRURecord#
dissect.target.plugins.os.windows.regf.mru.ACMruRecord#
dissect.target.plugins.os.windows.regf.mru.MapNetworkDriveMRURecord#
dissect.target.plugins.os.windows.regf.mru.TerminalServerMRURecord#
dissect.target.plugins.os.windows.regf.mru.MSOfficeMRURecord#
class dissect.target.plugins.os.windows.regf.mru.MRUPlugin(target: dissect.target.Target)#

Bases: dissect.target.plugin.Plugin

Return MRU data stored at various registry keys.

The Windows registry contains various keys about Most Recently Used (MRU) files.

References

__namespace__ = 'mru'#
check_compatible()#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

run()#

Return the RunMRU data.

The HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU registry key contains information about the most recent commands that have been performed by the Run application

References

recentdocs()#

Return the RecentDocs data.

The HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs registry key contains information about the last 10 documents that the currently logged on user accessed or executed via Windows Explorer.

References

opensave()#

Return the OpenSaveMRU data.

The HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU registry key contains information about the most recently opened or saved files.

References

lastvisited()#

Return the LastVisitedMRU data.

The HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU registry key contains information about the executable used by an application to open the files that are documented at the OpenSaveMRU registry key. Also each value tracks the directory location for the last file that was accessed by that application.

References

acmru()#

Return the ACMru (Windows Search) data.

The following keys are being searched:
  • HKCU\Software\Microsoft\Search Assistant\ACMru: This registry key contains the most recent search history from Windows default search.

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery: This registry key contains the most recent search history from Windows Explorer. (Windows >=7)

References

Known categories:
  • 5001: Internet Search Assistant

  • 5603: Windows XP files and folder search

  • 5604: “Word or phrase in a file” dialog box

  • 5647: “For computers or people” selection in Search Results dialog box

networkdrive()#

Return MRU of mapped network drives.

The HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerMap Network Drive MRU registry key contains information about the most recently used mapped network drives.

References

mstsc()#

Return Terminal Server Client MRU data.

msoffice()#

Return MS Office MRU keys.

dissect.target.plugins.os.windows.regf.mru.parse_mru_key(target, key, record)#
dissect.target.plugins.os.windows.regf.mru.parse_mru_ex_key(target, key, record)#
dissect.target.plugins.os.windows.regf.mru.parse_office_mru(target, key, record)#
dissect.target.plugins.os.windows.regf.mru.parse_office_mru_key(target, key, record)#