VIEW PROGRAMS RUN BY THE USER

The registry stores information on the programs that the user ran using the Run dialog Win + R. This information is present in the NTUSER.DAT hive

#access registry editor
PS C:\> Start-Process regedit

#navigate
REGISTRY> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

 Name		    Type		Data
 (Default)	REG_SZ	(value not set)
 a			    REG_S		cmd
 b 			    REG_S		notepad
 c 			    REG_S		regedit
 d 			    REG_S		calc
 e 			    REG_S		powershell
 ...
 MRUList	  REG_S		jihgabcdef

PreviousVIEWING CONNECTED USB DEVICES NextKAPE

Last updated 1 day ago