Monday, August 28, 2017

Visual Studio registry artifacts – part 2 – MRU Items #DFIR

Welcome back to a review of Visual Studio registry artifacts. In Part 1 I discussed “Find & Replace” as well as the Visual Studio 2017 registry hive that is separate from the NTUSER.DAT (HKLU). In this post I want to briefly show you that Visual Studio keeps its own Most Recently Used Item lists. Below you can see two categories, the “MRUItems” that capture activity throughout Visual Studio and another MRU under “SourceControl\History\…\ItemMRU”.

MRUItems – Most Recent Used Items

These lists can show you a variety of MRUItems. Granted my testing on the variety of items that are captured is limited here are a number of items I have observed”

  • Modules such as “xamarin”
  • Access to source code repositories including hosted TFS and GIT repositories
  • NuGet repositories






Below the “Items” shows access to various source code repositories







SourceControl MRUs

The source control MRU’s can be found in “\Visual Studio\<VS #>\SourceControl\TeamFoundation\History\…\ItemMRU”. This MRU does basically what the name implies, it shows user access to Source Code repositories. Specifically it shows user access to Team Foundation source code repositories. There are a couple of repository type, Team Foundation Server (TFS) and Git. The TFS can be a local server or a hosted account on









This information is rather specialized but it’s yet another place to look for user activity in your review of a system. I hope you find this information helpful.


by Dave via EasyMetaData