Retrieving the most...
 
Notifications
Clear all

Retrieving the most recently used word document

3 Posts
2 Users
0 Likes
375 Views
(@youcefb9)
Posts: 38
Eminent Member
Topic starter
 

What's the registry key (or other file system locations) that could potentialy locate the most recently used word documents (full path) in the system.

I am looking for a procedure that is guarantee to work in all Windows flavours (win2k, xp, 2003) and using any version of word (97, 2002, 2003,…etc).

regards

youcef

 
Posted : 03/05/2006 4:15 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

This is covered in the regref.xls file located in the Windows Forensic Analysis Group on Yahoo Groups.

Specifically, within the NTUSER.DAT file for each user, look for

\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

\Software\Microsoft\Office\{version}\Common\Open Find\{product}\Settings\Open\File Name MRU

\Software\Microsoft\Office\{version}\Common\Open Find\{product}\Settings\Save As\File Name MRU

\Software\Microsoft\Office\{version}\{app}\Recent Files

Harlan

 
Posted : 03/05/2006 5:31 am
(@youcefb9)
Posts: 38
Eminent Member
Topic starter
 

Harlan,
- how can you construct the full path given just the file name shown on RecentDocs?
- how can you tell the most recent from the RecentDocs?

The other keys you've mentioned didnt contain anything in my case (XP and word 2002). In addition the [Recent Files] key didnt exist at all (same thing is replicated in a test environment).

Is there any thing more conclusive.

The idea I got right now is an automated way of parsing [Documents and Settings\{user}\Recent] or its equivalent on other Windows systems, but this folder contains links. The solution I am envisaging is to parse the link file and grab the path of the target document. Alternatively I could open the link itself though I am not sure if opening a link using Windows ReadFile API would open the target file or the link itself.

Any ideas or clarifications on this.

regards

youcef

 
Posted : 03/05/2006 2:11 pm
Share: