Automatically created LNK on files access:
<SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\*.lnk

Automatically created LNK for documents opened using Microsoft Office products:
<SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Office\Recent\*.lnk

Other common LNK location:

Users Desktop folder:
<SYSTEMDRIVE>:\Users\<USERNAME>\Desktop\*.lnk

Startup folders:
<SYSTEMDRIVE>:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*.lnk
<SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk

Overview

Shortcut files (*.lnk) are Windows Shell Items that reference to an original file, folder, or application. The effect of double-clicking a shortcut file is intended to be the same as double-clicking the application or file to which it refers. In addition, command line parameters and the folder in which the target should be opened can be specified in the shortcut. The shortcut files have a magic number of 0x4C (4C 00 00 00).

While shortcut files can be created manually, the Windows operating system also creates shortcut files under numerous user activities, such as opening of a non-executable file. For instance, a shortcut file is created under [...]\AppData\Roaming\Microsoft\Windows\Recent\ whenever a file is opened from the Windows Explorer. Shortcut files created in such circumstances are referenced in the NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs registry keys.

These automatically created and updated shortcut files are not deleted upon deletion of their associated files.

The shortcut files format is also used for entries within the AutomaticDestinations and CustomDestinations JumpLists files (introduced in Windows 7).

Information of interest

The creation and modification timestamps of the shortcut file itself will usually respectively indicate when the target file was first and last opened for automatically created shortcut files.

Each shortcut file additionally yields the following information:

  • The target file’s absolute path, size and attributes (hidden, read-only, etc.). The size and attributes are updated upon every access to the target file (that induce an update to the shortcut file).

  • The target file and the shortcut file (source) itself Modified, Access, and Created (MAC) timestamps at the time of the last access to the target file.

  • Whether the target file was stored locally or on a remote network share through the specification of a LocalPath or NetworkPath.

  • Occasionally information on the volume that stored the target file: drive type (fixed vs removable storage media), serial number, and label / name if any.

  • Occasionally information on the host on which the shortcut file is present: system’s NetBIOS hostname and MAC address.

Tool(s)

Eric Zimmerman’s LECmd tool (KAPE’s LECmd module) can be used to process shortcut files.

# Parses the specified shortcut file.
LECmd.exe [-q --csv <CSV_DIRECTORY_OUTPUT>] -f <LNK_FILE>

# Recursively retrieves and parses the shortcut files in the specified directory.
LECmd.exe [-q --csv <CSV_DIRECTORY_OUTPUT>] -d <C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\ | C:\ | DIRECTORY>

References



View on GitHub