The Run utility on Windows Systems enables the user to directly open an application, folder or document. In
Windows 10, the Run utility can be accessed by right-clicking on Start > Run or by using the keyboard shortcut
Windows Key + R. As seen in the figure below, the Run utility includes a drop-down list that shows the last
commands executed via the Run dialog.
Items typed into the Windows Run dialog are recorded in the Registry under the RunMRU key. Deleting a value from RunMRU key will cause that entry to be removed from the history list of the Run utility. However, deleting the RunMRU key or any of its values does not remove the history list in Run utility immediately. The user has to close the Run window for the action to be effective.
The information maintained in the RunMRU key may shed some light on the user’s activity on the system. The Run MRU artifact is also used when suspecting an attack by a malicious actor as it can indicate the execution of a program or even a script on a device. In addition, this artifact proved to be helpful when investigating access to files and applications on removable storage devices or remote systems.
RunMRU key is located at: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
RunMRU key contains multiple values that are named for lowercase letters. These values store the commands
that a user run using the Run utility. The first value added is named “a”, the second value is named “b”,
then, “c” and so on. However, the names of the values do not always reflect the order in which the commands
were typed into the Run box. This information is maintained in the “MRUList” value which is a string that
lists the order in which each value beneath the RunMRU key was last accessed. For instance, in the figure
below, the first letter listed in the MRUList is “c”. The value named “c” stores the command “chrome” which
means that the most recent command typed into the Run box is “chrome”.
This section discusses how to use ArtiFast Windows to analyze Run MRU artifact from Windows machines and
what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select Run MRU Artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of Run MRU artifact in ArtiFast Windows.
Run MRU Artifact