Microsoft Office 2013 continues to yield very interesting artifacts related to user activity. Harlan recently posted about the “PendingChanges” subkeys in relation to PowerPoint, and I have previously posted about MS Word’s “Reading Locations” subkeys as well as the last saved location metadata in Excel 2013 spreadsheets. The registry, specifically the NTUSER.DAT hive, has been particularly interesting in terms of the Office 2013-related information it stores.
In Harlan’s earlier post, he identified references to the PowerPoint presentation he had opened in PowerPoint 2013 in the “File MRU” and “Place MRU” subkeys of “HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0ExcelUser MRULiveId_xxx”. The “File MRU” and “Place MRU” subkeys appear to track files and directories recently accessed by the application, with the “Item 1” value corresponding to the most recently accessed item, “Item 2” the next most recently accessed, etc..
|Office 2013 Sign in Option|
When a user is not signed into a Live ID account, references to the files and directories recently accessed by PowerPoint, Word, and Excel are stored in the “HKEY_CURRENT_ USERSoftware MicrosoftOffice15.0[programName]File MRU” and “HKEY_ CURRENT_USERSoftware MicrosoftOffice15.0 [programName]Place MRU” subkeys. When a user signs into a Live ID account (using the Office 2013 sign in option), the recently accessed files and directories appear to be tracked in “HKEY_ CURRENT_USERSoftwareMicrosoftOffice 15.0[programName]User MRU LiveId_xxx” under the respective File and Place MRU subkeys.
Interestingly, it appears that a new LiveId_xxx subkey is created each time a new Live ID account is signed in to through the Office 2013 interface. Based on my limited testing thus far, the File and Place MRUs of each LiveId_xxx subkey appear to be updated independently from one another (updates depend on which Live ID account is signed in) as well as independent from the File and Place MRUs maintained when a user is not signed into a Live ID account. This means that you could see multiple sets of File and Place MRUs per application, all within a single NTUSER.DAT hive!
As Harlan mentioned in his previous post, each Item # value in the File and Place MRU subkeys should contain data similar to “[F00000000][T01CF2DF40FEB4220][O00000000]*Z:FilesPresentation1.pptx”, with the value in the second set of brackets being a FILETIME structure that corresponds to the last time the file or directory was accessed from the application. This means that not only do we have an independent File and Place MRU subkey for each Live ID account that signed in to the system (as well as a File and Place MRU for when the user is not signed into a Live ID account), but we are also provided with the last time each item within each MRU list was accessed.
Regardless of whether a Live ID account was signed in or which Live ID account was used to access a file, usage history still appears to be recorded in the familiar RecentDocs subkey as well as the application’s associated jump list. These artifacts can serve to provide a file access history (regardless of the Live ID account used to access the file) as well as to help correlate and confirm data located in other artifacts.
Based on initial testing, the File and Place MRU list per Live ID account does not appear to be updated properly on Windows 7 running Office 2013. More research will be necessary to determine the value and reliability of this artifact under Windows 7. The majority of my testing as it relates to the File and Place MRUs has been with Windows 8.1, which appears to be consistent in updating the appropriate MRU list. I’ve only tested the addition of Live ID-associated File and Place MRUs with Word, Excel, and PowerPoint 2013, so the differences in MRUs as compared to previous versions of Office likely extend beyond these three applications.