Over the weekend I was looking at the “Reading Locations” subkey in the NTUSER.dat and found something interesting. I haven’t got a complete understanding yet, so I’ve labelled this as Part 1, but I have to figure some more stuff out for there to be a part 2.

TLDR

• The Reading Location has a ‘Position’ value which is not properly understood.
• The first number, when converted to hex, corresponds to a “w14:paraId” in the “document.xml”.
• So far, this appears to be the paragraph that was displayed at the top of the screen (or thereabouts) when you last saved/closed the document.
• I’m not currently sure about the second number but it does seem to increase as you scroll down.
• Word is most likely taking both into account though (or why would it care about the other number?)

What is Reading Locations

Microsoft released a feature back in 2013 to allow you to jump back to where you were in a document, seen below in the bottom right.

Jason Hale did a bit of research on the topic here, as did Harlan, but for those that don’t want to read through that, here’s a bit of a recap.

When you close a document, Word (and other products, but I haven’t tested them yet) will record where you were up to in the Registry:
HKCU\Software\Microsoft\Office\<version>\Word\Reading Locations\Document X.

When you open up the document again, a popup on the right hand side will tell you when you last opened the document, and will take you back to where you last were.

Looking at the Donald Blake image from the SANS FOR500 course we can see the path of the file, the datetime that it was closed in local time, and the position that was displayed at last save.

I was curious about whether I could figure out what these two values in “Position” mean

Testing

I took my most recent blog post and saved it into a word document (docx) using the latest Word 365 (16.0) on Win10 (1809)

I also set up procmon to monitor Registry changes to the ‘Reading Locations’ subkey, specifically relating to my document.

My cursor was at the bottom of the document from the paste, and that appears to be reflected by the large numbers.

I opened the docx file in 7zip and inside the “Word” folder there’s a “document.xml”. This file contains our content. I then decided to take a look for the two numbers that were written to the Registry and see what I could find.

The first number, 2054000438, didn’t show up anywhere, but I did notice a lot of hex strings.

And after converting our number to hex, we can see it showing up as a “paraId”.

This XML section contained the paragraph that was at the top of the screen at the time I saved the document.

If you look up the paraId in the document you can tell to a certain extent which paragraph was at the top of the screen. I say to a certain extent because if part of a previous paragraph was in the screen then the value would reflect that one, sometimes. I don’t think it matters all that much because at the very least you can ball park where in the document a person was. I still haven’t figured out how to reliably calculate exactly what Word will display; I think it has something to do with the second number.

The second number, 5738, didn’t show up in my document, and I still haven’t figured out what it means. It does seem to increment as I scroll down further. I thought it could do with the number of characters, or even the number of cm/inches down the page you were, but these didn’t really pan out. If someone else wants to figure that part out that would be great!

As an aside, Reading Locations also applies to Word Docs, but I haven’t looked at where they store their paragraph Ids.

---

I’ve updated the regripper plugin for reading_locations so that it displays the first number as hex which will make looking it up a bit easier. I’ve submitted  a pull request to Harlan so hopefully it’ll end up in the official distribution soon.

I don’t know enough C# to write a plugin for Registry Explorer (maybe eventually I’ll learn how to do it). I haven’t spoke to Eric about it, but it would also be cool to have the option to enter the int/hex in and it takes you to the position in the document. Otherwise you’re options are opening the document.xml and working it out by hand, booting a VM, or copying the values into your own registry.