< Back
Get-ForensicOfficePlaceMru
Post
NAME Get-ForensicOfficePlaceMru
SYNOPSIS
Gets directories that have recently been accessed in Microsoft Office.
SYNTAX
Get-ForensicOfficePlaceMru [-VolumeName <String>] [<CommonParameters>]
Get-ForensicOfficePlaceMru -HivePath <String> [<CommonParameters>]
DESCRIPTION
The Get-ForensicOfficeFileMru cmdlet parses NTUSER.DAT registry hives to determine what directories have recently
been accessed by Microsoft Office applications.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-VolumeName [<String>]
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \\\\.\\C:, C:, or C.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-HivePath <String>
Registry hive to parse.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
PowerForensics.Artifacts.MicrosoftOffice.PlaceMRU
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-ForensicOfficePlaceMru
This example shows Get-ForensicOfficePlaceMru parsing all user's NTUSER.DAT hives.
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>Get-ForensicOfficePlaceMru -HivePath C:\\Users\\tester\\NTUSER.DAT
This command uses the HivePath parameter of Get-ForensicOfficePlaceMru to specify an exported NTUSER.DAT hive to
parse.
RELATED LINKS
SYNOPSIS
Gets directories that have recently been accessed in Microsoft Office.
SYNTAX
Get-ForensicOfficePlaceMru [-VolumeName <String>] [<CommonParameters>]
Get-ForensicOfficePlaceMru -HivePath <String> [<CommonParameters>]
DESCRIPTION
The Get-ForensicOfficeFileMru cmdlet parses NTUSER.DAT registry hives to determine what directories have recently
been accessed by Microsoft Office applications.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-VolumeName [<String>]
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \\\\.\\C:, C:, or C.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-HivePath <String>
Registry hive to parse.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
PowerForensics.Artifacts.MicrosoftOffice.PlaceMRU
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-ForensicOfficePlaceMru
This example shows Get-ForensicOfficePlaceMru parsing all user's NTUSER.DAT hives.
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>Get-ForensicOfficePlaceMru -HivePath C:\\Users\\tester\\NTUSER.DAT
This command uses the HivePath parameter of Get-ForensicOfficePlaceMru to specify an exported NTUSER.DAT hive to
parse.
RELATED LINKS