Skip to content

More privacy exposure in Office 2013

Your document activity shows up in the registry in more places than expected.

Jason Hale has done a nice job checking out where Office 2013 leaves footprints showing what documents you’ve worked on.

Office programs like Word, Excel and PowerPoint have MRU – Most Recently Used – lists that let you re-open a recently accessed document.

In the ‘olden days’ there was one MRU list saved in the Windows Registry. Office geeks could peek in the registry to see what documents had been recently opened.

Office 2013 and Office 2010, at least, you can right click on an MRU item and ‘Remove from List’ to maintain some privacy.

Starting with Office 2010 you could directly remove items from the MRU list. In Office 2007 and before you had to tinker in the Registry to remove your document footprints from a computer.

What Jason discovered is that the MRU’s have been expanded a lot in Office 2013. The integration with Microsoft Live Account logins mean that there’s a lot more information stored.

For each Live account used with Office 2013 on a computer, there’s a separate MRU list which is saved in the Registry.

Each MRU entry tells you the name and location of the document as well as the last time it was accessed. ‘Places’ (paths to documents) are also recorded because Office 2013 maintains a separate list of MRU folders as well as MRU files.

Office-Watch.com did our own registry digging and established that not only Live Account logins have their own MRU, but each Active Directory login has their own set of MRU’s saved.

http://img.office-watch.com/ow/Word%202013%20Registry%20MRUs.png image from More privacy exposure in Office 2013 at Office-Watch.com

These details are saved at HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0< Word, Excel, PowerPoint etc>User MRU then a unique ID for each Live or Active Directory user.

As you can see above, there is also a ‘Web Extension User MRU’ key for the Live Account user.


Beyond the Maximum

In each Office program you can set a maximum value for the Most Recently Used list. These days that’s set at a default of 25 items – that’s a list of the last 25 unique documents that you’ve opened.

However the registry is saving a lot more than the maximum set by the user.

For each user, Office 2013 is saving the last 50 documents and 30 places regardless of the MRU setting.

That’s a concern because you can only directly remove the MRU entry for the documents/places visible in the Office 2013 Open pane. You do that by right-clicking on the MRU entry and choosing ‘Remove from List’. It might not occur to people that there’s more saved than the maximum.

The MRU data is kept on the machine long after the last login by that Live account.

It’s nice to see a forensic examination of what Office saves to the registry, but it should not have been necessary. This is information that Microsoft has and should release to the public. Smart guys like Jason Hale should not have to waste time discovering things that Redmond already knows but doesn’t disclose.

About this author