If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg3
It appears each time a user opens a file or saves a file using the standard windows dialog box then it's recorded in this registry
For example I opened this registry
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy\0
And was able to read the following values
notepad++.exe Windows\temp
Which would seem to me to indicate that the user opened the c:\windows\temp folder with notepad++.exe
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment