Wednesday, June 8, 2016

RecentDocs Python Script

This is a quick post to introduce a script I wrote to parse the RecentDocs (Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs) key in the NTUSER.dat registry file. The script can be found on Github.

The RecentDocs key in the registry stores the most recently opened files by a user. Within the RecentDocs key is the MRUListEx value, which essentially stores the order in which the files were accessed, with the most recent file first. There are also subkeys for each file extension opened by a user. Each of these subkeys have a last write time and its own MRUListEx value. The last write time of each subkey corresponds to the time the first entry in the respective MRUListEx was opened. Using these timestamps, along with the the RecentDocs key last write time and the MRUListEx value there, we can get a better idea of when a file was opened, even if it is not the most recent file that was opened. Dan (@4n6k) has already documented this on his blog. He did a great job of explaining it, so rather than repeating it here I'll refer you to his post.

Now, back to the script. First I'd like to note that Eric Opdyke (@EricOpdyke) created a similar script long ago. You can find it here. However, Eric's script needs to be run on Windows due to the use of python's winreg module. I wanted something that I could run on OS X, or Ubuntu, as well as Windows, and I also want to practice and learn python.

The script uses Willi Ballenthin's python-registry project (install through pip: pip install python-registry). It will output the list of filenames in order with the associated timestamps. Usage is simple. Only the -f option is required to specify the NTUSER.dat file of interest. If no other option is used, output will be to the console. If the -o option is used, the output will be written to the file specified.

Note that the output to file is in Unicode. Notepad in windows and textEdit in OS X will open the file and display it without any issues, as should any text editors that can handle UTF-16. This is to handle foreign characters in filenames. Due to the windows command prompt not properly displaying Unicode, the 0x00 bytes are removed from the output to console. For most cases where the file name is in English, this won't be a problem. However, if there are filenames with foreign characters you should use the -o option.

Below is sample output to the console on a Mac:
Fig. 1 - Output to console

As you can see on the screenshot above, the first line of the output doesn't look right. That's because the actual filename is in foreign characters. The screenshot below shows what the output looks like when it is written to a text file with the -o option.
Fig. 2 - Output to file
Now the filename is rendered correctly.

I hope this script will be useful. Please feel free to provide any comments or suggestions for improvement. 

1 comment:

  1. Nice! I use this as my go-to script for RecentDocs timelining now. Good stuff; keep it up.