Automatically generated based on tag:
Title | Type | Summary | Location |
---|---|---|---|
Jumplists | Page | Introduced in Windows 7, Jumplists are linked to a taskbar user experience-enhancing feature that allows users to "jump" to files, folders or others elements by right-clicking on open applications in the Windows taskbar. Information of interest: target file absolute path, size, attributes, and Modified, Access, and Birth timestamps (updated whenever the file is "jumped" to). Remote desktop connections made using the Windows built-in mstsc.exe client will generate an entry in the AutomaticDestinations JumpList that may reference the remote host. |
AutomaticDestinations: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\<APP_ID>.automaticDestinations-ms CustomDestinations: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\<APP_ID>.customDestinations-ms |
Registry - Common Dialogs (ComDlg32) | Page | The registry keys under ComDlg32 are linked to the Common Dialogs boxes, such as the "Open" and "Save as" dialog boxes. OpenSaveMRU / OpenSavePidlMRU information of interest: full path of the last 20 files, for each file extension, opened or saved through a Common Dialogs box. LastVisitedMRU / LastVisitedPidlMRU / LastVisitedPidlMRULegacy information of interest: some of the programs used to open / save the files tracked in the OpenSaveMRU / OpenSavePidlMRU registry key. The application filename and last folder accessed through a dialog box is tracked. The created and last accessed timestamps of each subfolder in the path of the last accessed folder are also stored. CIDSizeMRU information of interest: filename of the applications linked to Common Dialogs activity. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry subkeys under: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ OpenSaveMRU / OpenSavePidlMRU LastVisitedMRU / LastVisitedPidlMRU / LastVisitedPidlMRULegacy CIDSizeMRU |
Registry - RecentApps | Page | Introduced in Windows 10 1607 and removed in Windows 10 1709 (with the key not present on subsequent versions), the RecentApps is an undocumented registry key that tracks program executions and files accessed by the tracked programs. Information of interest: filename, last access timestamp, and run count execution of the application. Additionally, 10 files accessed by the application (not necessarily the last files accessed) are tracked. For each file, the file name and file full path are referenced and the last access timestamp can be deduced (from the last write timestamp of the associated registry key). |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\<GUID> |
Registry - RunMRU | Page | The RunMRU registry tracks items launched from the Windows Run launcher (Windows + R shortcut). Information of interest: values entered (program names, files / folders, URL, ...) in the Windows Run launcher, if associated with a successful launch. Values are ordered in a most recently used list. The timestamp of launch of the most recently launched item can thus be deduced from the last write timestamp of the registry key. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU |
Registry - Shellbags | Page | The Shellbags are Windows Registry keys designed as a user experience enhancing feature to keep track of Windows explorer graphical display settings on a folder-by-folder basis. Shellbags contain folders and network shares to which a given user has navigated (using the Windows Explorer), but not the content of a directory. Files will thus not be referenced and subdirectories will only be referenced if they were navigated into. Shellbag entries are stored in registry as a tree-like hierarchical data structure, allowing to reconstitute the browsed directories arborescence. Information of interest, for each Shellbags entry on a given target / directory: - Target name and absolute path. - Target Modified, Access, and Created (MAC) timestamps (in UTC) retrieved from the $MFT at the Shellbag entry creation (and not further updated). - The order in which the sub-targets of a target were accessed (maintained in a MRUList list). Additionally, the first and last interacted timestamps can be indirectly deducted for some targets. |
Locations starting from Windows 7: Windows Explorer activity: File: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat Registry keys: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Desktop and Network locations activity: File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry keys: HKCU\Software\Microsoft\Windows\Shell\BagMRU HKCU\Software\Microsoft\Windows\Shell\Bags. |
Registry - WordWheelQuery | Page | Introduced in Windows 7, and not present in Windows Server operating systems, the WordWheelQuery registry key tracks the keywords searched in the Windows Explorer search box. Information of interest: term / keywords entered in the Windows Explorer search box. Values are ordered in a most recently used list. The timestamp of search of the most recently searched item can thus be deduced from the last write timestamp of the registry key. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery |
Shortcut files / LNK | Page | Shortcut files (*.lnk) are Windows Shell Items that reference to an original file, folder, or application. While LNK files can be created manually, Windows also creates LNK files under numerous user activities, such as opening of a non-executable file. Information of interest, per LNK file: - Target file absolute path, size and attributes. - Target file Modified, Access, and Created (MAC) timestamps at the time of the last access. - Sometimes information on the volume that stored the target file (local or network share, serial number, and label). - Additionally, for automatically created LNK, the creation and modification timestamps of the LNK itself will usually indicate when the target file was first and last opened. |
Automatically created LNK on files access: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\*.lnk Automatically created LNK for documents opened using Microsoft Office products: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Office\Recent\*.lnk Other common LNK location: Users Desktop folder: <SYSTEMDRIVE>:\Users\<USERNAME>\Desktop\*.lnk Startup folders: <SYSTEMDRIVE>:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*.lnk <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk |
Thumbs.db and Thumbcache | Page | The Thumbs.db and Thumbcache files contain cached thumbnail previews for files (pictures, some document and media file types) in folders that were interactively accessed with the Windows Explorer. Some document types, such as PDF files, will have their first page as their thumbnail preview. The cached thumbnail previews persist even after deletion of the associated files. The Thumbs.db files are stored in their associated folders, with one individual Thumbs.db file per folder. Since Windows Vista, Thumbs.db files are only generated for access through UNC paths (in the remote / share directory). Starting with Windows Vista, the Thumbcache files centralize thumbnails in a central location. Each Thumbcache file, labeled "thumbcache_<RESOLUTION>.db", contains thumbnails from all locations. The location of the file linked to a thumbnail is not stored in the Thumbcache file. However, an unique identifier may be used to retrieve the location of the associated file (mostly for non deleted files). |
Thumbs.db: Individual hidden files in their associated folders. Starting from Windows Vista, Thumbcache: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\Explorer\thumbcache_<RESOLUTION>.db files. |
WebCacheV01 | Page | The WebCacheV01.dat database is used by the Microsoft Internet Explorer and Microsoft Edge (legacy) web browsers to store browsing history, downloads, cache, and cookies. However, access to local files, not necessarily through a web browser, are also tracked in the WebCacheV01.dat database. Access to local files can be identified by the file URI scheme (such as "file:///<DRIVE_LETTER>:/folder/file"). Information of interest: full path to the file or URL, timestamp of access, and visit count. |
<SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\WebCacheV01.dat |
Windows 10 Timeline / ActivitiesCache.db | Page | Introduced in Windows 10 version 1803, the Windows Activity history tracks a number of operations on the system: programs used, local files opened, SharePoint documents consulted, and websites browsed (using Internet Explorer / Microsoft Edge Legacy). The ActivitiesCache.db database only stores data for the last 30 days by default. Information of interest, that depends on the activity type: start and end times of the activity (in UTC), executable full path for program execution, file name / SharePoint link for files accessed using certain programs, created and last modified timestamp of the associated file, etc. The history of the clipboard data may also be stored for a short amount of time (approximately 12 hours) in non default configuration. |
<SYSTEMROOT>\Users\<USERNAME>\AppData\Local\ConnectedDevicesPlatform\[L.<USERNAME> | *]\ActivitiesCache.db |
Windows Defender - Support logs | Page | Windows Defender stores on disk a number of plain-text log files. Among these log files, the Microsoft Protection Log (MPLog) log includes a number of event types related to past Windows Defender scanning activity and detections. The MPLog can notably be a source of historical information on: - Program and suspicious command line executions. - Files existence and access. - Windows Defender configuration state, detections, and other telemetry. |
Log files, and notably "MPLog-YYMMDD-hhmmss.log", under: <SYSTEMDRIVE>\ProgramData\Microsoft\Windows Defender\Support |
View on GitHub