LastVisitedPidlMRU
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULastVisitedPidlMRU records which folder each application last accessed through the standard Windows Open or Save dialog. It stores both the executable name and the target folder as a binary PIDL, creating a direct link between a specific program and a specific directory — context that no other single artifact provides on its own.
Key Name
0, 1, 2 ... — REG_BINARY values each encoding an executable name and the PIDL of the last-visited folder; MRUListEx tracks access order
Trace Type
Execution
Hive
NTUSER.DAT
Last Write Time
Reflects the last time any application updated its dialog folder entry — use it to anchor Open/Save dialog activity to your investigation window and cross-correlate with file system timestamps.
User Specific
Yes Stored in NTUSER.DAT and scoped to the individual user account.
Forensic Value
- Tie specific apps to specific directories: You can prove that
winscp.exewas used to open a staging directory, or that7z.exewas pointed at an exfiltration folder — the application-folder pairing is explicit. - Prove dialog-based file interaction: Open/Save dialog usage implies a deliberate file selection, not a background process. This artifact counters "it ran automatically" defenses.
- Survive file and folder deletion: The PIDL data persists after the target folder is removed, retaining the folder path for investigative use even when the disk shows nothing, and more.