RecentDocs: Uncovering User Activity Through Recently Opened Files
- Feb 24, 2025
- 3 min read
Updated: Mar 28
If you could only look at one registry key to understand what a user has been doing on a machine, RecentDocs would be a strong contender for that slot. It's not the most dramatic artifact in Windows forensics. It doesn't catch malware or map network connections.
What it does is something arguably more valuable in many investigations: it tells you, in meticulous order, exactly what files and folders a human being was interacting with.
That word — human — matters.
Automated attacks don't open Word documents and browse through folder structures. When RecentDocs is full of activity, someone was sitting at that keyboard.
-------------------------------------------------------------------------------------------------------------
What RecentDocs Actually Tracks
The key lives at:
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocsThe parent key maintains a rolling list of the last 150 items opened of any type — files, folders, and in Windows 10 and later, even newly created items before they're opened.
Beneath it, a sprawling collection of child subkeys organizes everything by file extension.
Each extension subkey tracks the last 20 items of that type, with a full MRU list recording the exact order in which they were opened.
The Folder subkey gets special treatment — it tracks the last 30 folders accessed and stands alongside the extension subkeys as its own organized category.
-------------------------------------------------------------------------------------------------------------
The Extension Subkeys Tell Their Own Story
Before you even open the individual entries, simply seeing which extension subkeys exist under RecentDocs is informative. Subkeys only get created when a file of that type is accessed — so the presence of certain extensions is itself evidence.
The extension inventory alone can tell you which applications were in use, what types of data were being accessed, and which areas of the filesystem to investigate next.
-------------------------------------------------------------------------------------------------------------
Timestamps: The Complicated Part (And the Powerful Part)
Here's where RecentDocs goes from useful to genuinely sophisticated — and where a lot of analysts leave value on the table by not understanding the timestamp mechanics fully.
The raw data in RecentDocs is stored as binary, MRU lists are encoded, and timestamps don't work the way you might expect. Only registry keys have timestamps — individual values do not. So a key with 20 entries only has one timestamp: the Last Write Time, which reflects when the most recently used (MRU position 0) item was last interacted with.
Registry Explorer's "Recent Documents" plugin handles all of this decoding automatically — but understanding what it's doing helps you interpret the results correctly.
The Magic of MRU-Based Bracketing
Here's where RecentDocs becomes more than just a file access log — it becomes a temporal reasoning engine.
Even items without explicit timestamps carry investigative value because of their position in the MRU list.
The MRU list is an ordered sequence:
item 0 is the most recently accessed
item 1 was accessed before that
item 2 before that, and so on.
Every item's position tells you its relationship to every other item's timestamp.
Take the PDF in the example above
Test3 .pdf. It has no timestamp of its own — it's not the most recently opened PDF, so it doesn't inherit the .pdf subkey's Last Write Time. But it sits between two items that do have timestamps
The result:
even without a direct timestamp, you can say with confidence that PDF was opened somewhere between October 13 and October 15. In many investigations, a two-day bracket is more than sufficient to answer the question being asked.
-------------------------------------------------------------------------------------------------------------
How RecentDocs Helps in Forensic Investigations
1. Tracking User ActivityRecent
Docs provides insight into what files and folders a user interacted with, helping investigators build a digital footprint.
2. Recovering Deleted Evidence
Even if a file has been deleted, its record in RecentDocs remains until overwritten—allowing analysts to recover evidence of past activity.
3. Identifying Suspicious Behavior
Data Theft: If a user accessed multiple sensitive files before an unauthorized data transfer, it could indicate data exfiltration.
Malware Execution: If ransomware was detected on a system, RecentDocs might reveal which file triggered the infection.
Insider Threats: Analyzing which files were accessed before a breach can help determine whether an employee played a role.
---------------------------------------------------------------------------------------------------------------------------
The Human Signal in RecentDocs
There's one final observation worth making explicit.
When you find rich, active RecentDocs data — documents opened, folders browsed, files saved — you're not just looking at file access history. You're looking at the footprint of a person actively using a machine.
Automated malware doesn't open Word documents to read them.
Ransomware doesn't browse folder hierarchies through File Explorer before encrypting them — it operates programmatically.
A busy RecentDocs key is, almost by definition, evidence of a human in the loop.
------------------------------------------Dean----------------------------------------------------
Check out complete Series Below:
