added information about paths

Forensics/Windows Registration.md

@@ -127,6 +127,8 @@ pdf, jpg.
 
 ## ShellBags
 
+Use something like shellbag explorer as a tool to display information from shellbags.
+
 * `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags`
 * `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU`
 * `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
@@ -134,8 +136,12 @@ pdf, jpg.
 
 ## Last Open/Saved/Visited Dialog MRUs
 
+Content of dialog windows is stored in the following folders and last
+visited/saved paths.
+
 * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU`
 * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU`
+* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastSavedPidlMRU`
 
 ## Explorer Address/Search Bars
 
@@ -149,7 +155,8 @@ Registry folder which includes search queries from file explorer.
 
 ## User Assist
 
-GUI applications launched by the user
+GUI applications launched by the user (and the number of usage) listed by
+GUIDs can be found in the following folder.
 
 * `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count`
 
@@ -160,7 +167,7 @@ Application Compatibility, AppCompatCache
 * `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`
 * Use `AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>`
 
-### AmCache
+## AmCache
 * Information about recently run applications on the system
 * `C:\Windows\appcompat\Programs\Amcache.hve`
 * Last executed app -> `Amcache.hve\Root\File\{Volume GUID}\`