Exploring Windows RecentDocs order with regedit and regripper

The Windows registry is a gold mine of information when performing forensics analysis. Among others, it keeps track of all recently opened files by the user, for example to populate the ‘Recommended’ section in the start menu, or the ‘Recent’ list Windows Explorer.

This list is kept under NTUSER.DAT\Software\Microsoft\Windows\Current Version\Explorer\RecentDocs and you can explore it by yourself using the Registry Editor, for example…

Until recently, I could never remember with certainty the order in which elements are stored, so I decided to experiment by myself, and share my results with anyone interested…

On a Windows 11 VM, I created and opened 3 files first.txt, second.txt and last.txt.

Registry Editor

I first launched the Registry Editor and checked NTUSER.DAT\Software\Microsoft\Windows\Current Version\Explorer\RecentDocs\.txt. The key 0 contains the hexadecimal value of the first file first.txt. Which shows that in the registry editor, the last opened file is the one with the highest key name.

RegRipper

For the second test, I stopped the VM, mounted the disk image and used RegRipper to extract the recent docs entries from the registries. Similarly, entry 0 corresponded to first.txt and entry 2 was last.txt. This shows that in regripper, the last opened file is also the one with the highest key name.

Going further

For more information on the Windows registry and forensic analysis, check out the following resources:

• The RecentDocs Key in Windows 10
• RegRipper Documentation

This blog post is licensed under CC BY-SA 4.0