Why does clearing document history also clear Run history?


Commenter John Topley wondered why clearing document history also clears Run history. Simple: Because people wanted it to.

Originally, the button merely erased your recent document history, but with the increasing paranoia over what records the computer kept on your past usage, people began to expect more and even filed beta bugs saying, "I cleared my document history, but I went to Location X and the names of documents I used recently was still visible."

I guess these people were afraid of being raided by the F*I, or more likely (but nobody will admit to it) by their spouse.

Comments (24)
  1. Anonymous says:

    Wow, I’d completely forgotten about that question!

  2. Anonymous says:

    I wish I knew where the Run history values are stored; a search of the registry revealed nothing.  Most of the time I’d like to only  selectively delete the entries.

  3. Anonymous says:

    @BobD:

    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU

    looks promising (on XP, anyway)

  4. Anonymous says:

    Of course, if one’s spouse is even a little savvy then clearing the MRU list and Run history looks a little shady…

    My currently favored hypothetical method for hiding my tracks is saving the MRU list before suspicious activity, and restoring it afterwards.

    Hiding suspicious data is harder.

  5. JamesNT says:

    This is amusing.  I remember in the very late 90’s and turn of the century the big boom in software that "scrubbed" your machine to remove your surfing habits, etc.  

    There’s no telling how much money those guys made.

    JamesNT

  6. Anonymous says:

    @Ramesh and Graham,

    I found the path as you say, not sure why regedit search did not find my string…

    Anyway, I see in the XP dialog "Customize Classic Start Menu" the text "To remove records of recently accessed documents, programs, and Web sites click Clear".  No mention of the Run dialog.  That’s why I was never sure why my entries would occasionally disappear.  (Unless there’s another clear action that I’m not remembering?)

  7. Anonymous says:

    Well, strictly, it says "programs".

  8. Anonymous says:

    @BobD: Check here:

    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU

    Note that the above key contains the list of entries that you typed in the Run box. It does *not* list the Web addresses that are shown in the Run dialog.

    RunMRU listing – Sources:

    http://windowsxp.mvps.org/rundel.htm

  9. Anonymous says:

    My favorite method of not letting others access my personal data is:

    User Profiles

    combined with:

    NT Security

    No need to track down hundreds of different data stores and constantly clear them at my own trouble and inconvenience, yet I can let others use my computer relatively safely.

    What’s the point of sharing a user profile and Windows account with somebody else? It baffles me why people do that to themselves.

  10. Anonymous says:

    Just a friendly reminder:

    I imagine there "sanitize" things do nothing (i.e. they delete registry keys, but don’t zero the space on disk and much less rewrite it several times), so they give "usermode protection". Rewriting the sensitive data with zeros before deleting it would give "kernel mode protection", and you’d be safe unless the HDD is disassembled (or, on certain circumstances, its firmware flashed with a special version).

  11. Anonymous says:

    Just a friendly reminder:

    I imagine these "sanitize" things do nothing (i.e. they delete registry keys, but don’t zero the space on disk and much less rewrite it several times), so they give "usermode protection". Rewriting the sensitive data with zeros before deleting it would give "kernel mode protection", and you’d be safe unless the HDD is disassembled (or, on certain circumstances, its firmware flashed with a special version).

  12. Anonymous says:

    Just a friendly reminder:

    I imagine these "sanitize" things do nothing (i.e. they delete registry keys, but don’t zero the space on disk and much less rewrite it several times), so they give "usermode protection". Rewriting the sensitive data with zeros before deleting it would give "kernel mode protection", and you’d be safe unless the HDD is disassembled (or, on certain circumstances, its firmware flashed with a special version).

  13. Anonymous says:

    @- Overwriting the data with zero’s multiple times is okay, but how does posting the entry multiple times help? :P :P

  14. Anonymous says:

    My currently favored hypothetical method for hiding my tracks is saving the MRU list before suspicious activity, and restoring it afterwards.

    Or you just click on Safari -> private browsing, and it won’t even record your porn surfing habits.

    Hiding suspicious data is harder.

    On Windows, it’s quite easy. Zip everything, rename it to <random letters>32.dll and drop it in your System32 directory.

    Or, like me, you can just store your porn collection in /media/pr0n on your shared network drive.

  15. Anonymous says:

    @BobD:

    "No mention of the Run dialog."

    The Run dialog is used to access documents, programs and Web sites, right?

    The Run dialog records entries you type.

    Hence, it records some recent accesses to documents, programs and Web sites.

    The dialog says "To remove records of…" which implies that it removes all of them.

    So, it has to remove the RunMRU.

    @Jeff Tyrrill: You forgot about NT encryption.

    Unless you prevent physical accesses to your computer, it’s possible to read the non-encrypted data.

  16. Anonymous says:

    Ya why hide your habbits?  I proudly display my stuff I even have scripts that enumerate my links and recent history and displays them on the home page of our little intranet for all to see when they start surfing.   So what if I like nude midget mud wrestling?

  17. Anonymous says:

    okay, pudding wrestling I’ll give you, but mud wrestling is just plain weird.

  18. Anonymous says:

    Not totally true.

    On my XP, some URLs remain in the run dialog even after a clear of document history until I also clear IE history – which is fun considering they are URLs I visited with Firefox..

    They mostly are Windows Media URLs, so I guess WM records them in the same history of IE *and* it suggests them as autocompletes in the run dialog.

  19. Anonymous says:

    Not totally true.

    On my XP, some URLs remain in the run dialog even after a clear of document history until I also clear IE history – which is fun considering they are URLs I visited with Firefox..

    They mostly are Windows Media URLs, so I guess WM records them in the same history of IE *and* it suggests them as autocompletes in the run dialog.

  20. Anonymous says:

    @SuperKoko:

    "You forgot about NT encryption.

    Unless you prevent physical accesses to your computer, it’s possible to read the non-encrypted data."

    No, I didn’t forget. NT Security is good enough for my typical situations because I trust my friends who use my computer not to attempt to wholesale break in to the NT Security system and attempt to gain an administrator account (or just steal the computer). I just don’t want them running across my data during their casual use of the computer.

    And anyway, NTFS file encryption would not be completely effective if they had physical access, because they could install a keylogger for the next time I used the computer to get my password.

    @anonymous:

    "Rewriting the sensitive data with zeros before deleting it would give "kernel mode protection", and you’d be safe unless the HDD is disassembled"

    Not true. The data could have previously been at a different location on disk due to defragmentation, and this data would not be deleted.

    Working secure erase requires an extremely complex implementation. To perform well, it requires techniques like using multiple levels of key indirection, as well as techniques to account for securely erasing previous versions of data in a file that were not "securely" overwritten (multiple times with random data). The best general approach involves implementation at the file system level and keeping all files encrypted, and then securely erasing keys instead of the data. There are many more difficulties than listed here and it’s not trivial.

  21. Anonymous says:

    Clearing the recent documents list also clears it in MS-Words File menu (at least before 2007).

  22. Anonymous says:

    "Clearing the recent documents list also clears it in MS-Words File menu (at least before 2007)."

    Not with Windows XP and Word 2002 it doesn’t.

  23. Anonymous says:

    For those that think it doesn’t work, clearing the Run dialog does not take effect until you restart the shell (reboot, logoff-logon, restart Explorer, etc.)

    The Run dialog makes no distinction between apps, links, URLs, etc. It saves anything that has been run from it as long as it can be resolved. That is, it will save “calc” the same as it saves “http://www.google.com/”, however it will not save “blajsds” (assuming that there is nothing by that name in the PATH).

    As for wiping traces, I prefer the opposite approach. I log the crap out of everything. I have logs and traces of everything that I can think of so that I know exactly what I have done and when. That way, not only do I have a record of my time (and life), but I can go back and find something much easier than trying to remember it. The only thing that I would wipe is the recent this-and-that folders because I don’t use them, so they take space for nothing. Of course since the Run dialog gets wiped, I don’t do that and just turn it off instead. (Maybe I should reactivate it…)

  24. Anonymous says:

    (Just to be clear, I didn’t mean that the Run dialog saves EXEs, URLs, shortcuts, etc. in the same place, just that it saves them so long as they can be executed by ShellExecute (doesn’t give the “Windows cannot find…” message)—which is true for all URLs whether they are valid or not since the shell “executes” them simply by passing the URL to the http protocol handler.)

Comments are closed.