Difference between revisions of "Jump Lists"

From Forensics Wiki
Jump to: navigation, search
Line 12: Line 12:
 
Files: *.automaticDestinations
 
Files: *.automaticDestinations
  
Structure - The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification.
+
Structure - The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification. Each of the numbered streams within the file follows the [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format specification.
 +
 
 +
The autodest files also contain a
 +
 
 +
 
 +
 
 +
<table border="1"><tbody>
 +
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
 +
<tr> <td>0x48</td> <td>16 bytes</td> <td>NetBIOS name of the system; padded with zeros to 16 bytes</td> </tr>
 +
<tr> <td>0x58</td> <td>8 bytes</td> <td>Stream number; corresponds to the numbered stream within the jump list</td> </tr>
 +
<tr> <td>0x64</td> <td>8 bytes</td> <td><a href="http://support.microsoft.com/kb/188768">FILETIME</a> object</td> </tr>
 +
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
 +
</tbody></table>
  
  
Line 22: Line 34:
  
  
 
+
== AppIDs ==
 
[[List of Jump List IDs]]
 
[[List of Jump List IDs]]
17d3eb086439f0d7 TrueCrypt 7.0a
 
adecfb853d77462a MSWord 2007
 
c71ef2c372d322d7 PGP Desktop 10
 
cdf30b95c55fd785 MSExcel 2007
 
f5ac5390b9115fdb MSPowerPoint 2007
 
 
12dc1ea8e34b5a6 MSPaint 6.1
 
431a5b43435cc60b Python (.pyc)
 
469e4a7982cea4d4 ? (.job)
 
500b8c1d5302fc9c (.pyw)
 
50620fe75ee0093 VMWare Player 3.1.4
 
65009083bfa6a094 (app launched via XPMode)
 
7e4dca80246863e3 Control Panel (?)
 
83b03b46dcd30a0e iTunes 10
 
b0459de4674aab56 (.vmcx)
 
 
  
 
{{Windows}}
 
{{Windows}}

Revision as of 09:15, 23 August 2011

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Jump Lists are a feature found in Windows 7.

Contents

Jump Lists

Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions. Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files. Autodest files are created by the operating system

Jump Lists are located in the user profile path, in the C:\Users\user\Recent folder. Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.


AutomaticDestinations

Path: C:\Users\user\Recent\AutomaticDestinations Files: *.automaticDestinations

Structure - The autodest files follow the MS-CFB compound file binary format specification. Each of the numbered streams within the file follows the MS-SHLLINK binary format specification.

The autodest files also contain a


<tbody> </tbody>
Offset Size Description
0x48 16 bytes NetBIOS name of the system; padded with zeros to 16 bytes
0x58 8 bytes Stream number; corresponds to the numbered stream within the jump list
0x64 8 bytes <a href="http://support.microsoft.com/kb/188768">FILETIME</a> object
0x70 2 bytes Number of Unicode characters in the string that follows


CustomDestinations

Path: C:\Users\user\Recent\CustomDestinations Files: *.customDestinations

Structure


AppIDs

List of Jump List IDsWindows