Blog >> Run MRU

Investigating Run MRU

01/10/2021 Friday

The Run utility on Windows Systems enables the user to directly open an application, folder or document. In Windows 10, the Run utility can be accessed by right-clicking on Start > Run or by using the keyboard shortcut Windows Key + R. As seen in the figure below, the Run utility includes a drop-down list that shows the last commands executed via the Run dialog.



Items typed into the Windows Run dialog are recorded in the Registry under the RunMRU key. Deleting a value from RunMRU key will cause that entry to be removed from the history list of the Run utility. However, deleting the RunMRU key or any of its values does not remove the history list in Run utility immediately. The user has to close the Run window for the action to be effective.


Digital Forensics Value of Run MRU


The information maintained in the RunMRU key may shed some light on the user’s activity on the system. The Run MRU artifact is also used when suspecting an attack by a malicious actor as it can indicate the execution of a program or even a script on a device. In addition, this artifact proved to be helpful when investigating access to files and applications on removable storage devices or remote systems.


Location of Run MRU Artifact


RunMRU key is located at: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU


Structure of Run MRU Artifact


RunMRU key contains multiple values that are named for lowercase letters. These values store the commands that a user run using the Run utility. The first value added is named “a”, the second value is named “b”, then, “c” and so on. However, the names of the values do not always reflect the order in which the commands were typed into the Run box. This information is maintained in the “MRUList” value which is a string that lists the order in which each value beneath the RunMRU key was last accessed. For instance, in the figure below, the first letter listed in the MRUList is “c”. The value named “c” stores the command “chrome” which means that the most recent command typed into the Run box is “chrome”.



Analyzing Run MRU Artifact with ArtiFast Windows


This section discusses how to use ArtiFast Windows to analyze Run MRU artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.

After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select Run MRU Artifact:






Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of Run MRU artifact in ArtiFast Windows.


Run MRU Artifact