We help IT Professionals succeed at work.

recent accessed documents on windows 7 computers

aside from c:\users\username\appdata\roaming\microsoft\windows\recent and c:\users\username\appdata\roaming\microsoft\office\recent

are there any others folders on a windows 7 machine that would give clues about files a user has recently accessed? I have read about a "recent places" folder but cant find it on a copy of a users hdd.
Watch Question

Manager; IT Consultant
There are many places that keep track of where a user has been.
Each application uses its own method for tracking this.
A lot of it is in the Registry, some are in "INI" files in the clear, some are in encrypted files

If you use CCleaner, it will remove these tracks. See http://www.piriform.com/ccleaner
If you download CCEnhancer it will delete 100's of other files, logs, history & links. See https://singularlabs.com/software/ccenhancer/ 

If you want to forensically analyse a computer, then you could start CCleaner, BUT do NOT use this further than just to "Analyse"  

In addition, every file that you open could leave hidden traces on your hard drive that could indicate file content. A program like Recuva can find this "crumbs" . See https://www.piriform.com/recuva/download

And here is a free utility that can make your life a little easier if your purpose is to do a forensic analysis:


OpenSaveFilesView is a simple tool that displays the list of files that you previously opened with the standard open/save dialog-box of Windows. For every file in the list, the following information is displayed: Filename, Extension, Order (The order that the files were opened for every file extension), Open Time (Available only for the last opened file of every file type), File Modified/Created Time, File Size, and File Attributes.

Actually that web site has other utilities that you might find interesting for forensic purpose
btanExec Consultant
Distinguished Expert 2019
Some area of interest
-  Recently opened files from Windows Explorer
- Items recently ran from the "Run" bar
- ComDlg32 recently opened/saved files
- ComDlg32 recently opened/saved folders
- Recent Docs
- Recycle Bin
- Internet Explorer Temp Folder (IE Cache)
- IE Typed URLs
- Recently Opened Office Docs
- Files recently accessed by Windows Media Player


also on anti-forensic attempts
Most of us are familiar with the RecentDocs key within the user hive.  This is one of the classic MRU keys, as the key itself and all of it's subkeys contain values, and on Windows 7 systems, one of the values is named MRUListEx, and contains the MRU order of the other keys. The other values beneath each key are numbered, and the data is a binary format that contains the name of the file accessed, as well as the name of an associated shortcut/LNK file.

Each of the subkeys beneath this key are named for various file extensions, and as such, not only provide information about which files the user may accessed, but also which applications the user may have had installed.

A means for determining the possible use of counter-forensics techniques is to compare the list of value names against the contents of the MRUListEx value; numbers in this value that do not have corresponding value names may indicate attempts to delete individual values.

Tools: RegRipper recentdocs.pl plugin
Drill into the registry for more info as it is not necessary only in 'Recent' folder
MS Office File/Place MRU Values
Each of the applications within MS Office 2010 maintains an MRU list of not only files accessed, but places from which files have been accessed (in separate keys).  In addition to the paths to the files or folders, respectively, the value string data contain entries that look like, "[T01CD76253F25ECD0]", which is a string representation of a 64-bit FILETIME time stamp.  As such, these keys aren't MRU keys in the more traditional sense of having an MRUList or MRUListEx value.

Tools: RegRipper office2010.pl plugin

Application-specific MRUs
A number of file viewers (Adobe Reader, MS Paint, etc.) maintain their own MRU lists.  Most often when interacting with the application, if you click on File in the menu bar of the app, the drop-down menu will contain (usually toward the bottom) a list of recently accessed files.  Many times, that information can be found in the Registry.

Tools:  RegRipper applets.pl and adoberdr.pl plugins

On Windows 8, the Photos key in the user's USRCLASS.DAT hive is used to track photos opened via the Photos app on the Windows 8 desktop (many thanks to Jason Hale for sharing his research on this topic).

Tools: RegRipper photos.pl plugin
Less possibly but gives hint on intent to access
Similar to the shellbags artifacts, the TypedPaths key in the user's NTUSER.DAT hive maintains a list of folders that the user accessed; however, for this artifact, the paths were typed into the Windows Explorer Address Bar.

Users can also disable this feature, so if you find no values in the TypedPaths key, check for the AutoSuggest value.

Tools: RegRipper typedpaths.pl plugin

Useful tool includes
LastActivityView - displays a log of actions made by the user and events occurred on this computer. @ http://www.nirsoft.net/utils/computer_activity_view.html

RecentFilesView - display the list of all recently opened files, and allows you to delete unwanted filename entries @ http://www.nirsoft.net/utils/recent_files_view.html