Tuesday, October 27, 2015

Registry Shell\BagMRU Key

If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.


It appears each time a folder is accessed in a Windows operating system, it records that folder in the BagMRU registry For example, I opened the following registry key

HKEY_USERS\C__Users_USERNAME_AppData_Local_Microsoft_Windows_UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\14

And was able to read the following values


Which would seem to me to indicate that a folder named login_scripts was accessed.

NirSoft has a nice utility called ShellBagsView that allows you to view these values.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment