Difference between revisions of "Jump Lists"

From ForensicsWiki
Jump to: navigation, search
(CustomDestinations)
Line 29: Line 29:
  
 
=== CustomDestinations ===
 
=== CustomDestinations ===
Path: C:\Users\user\Recent\CustomDestinations
+
Path: C:\Users\user\Recent\CustomDestinations<br>
 
Files: *.customDestinations-ms
 
Files: *.customDestinations-ms
  
Structure  
+
Structure
 
+
  
 
== AppIDs ==
 
== AppIDs ==

Revision as of 10:24, 23 August 2011

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Jump Lists are a feature found in Windows 7.

Jump Lists

Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions. Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files. Autodest files are created by the operating system

Jump Lists are located in the user profile path, in the C:\Users\user\Recent folder. Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.


AutomaticDestinations

Path: C:\Users\user\Recent\AutomaticDestinations

Files: *.automaticDestinations-ms

Structure - The autodest files follow the MS-CFB compound file binary format specification. Each of the numbered streams within the file follows the MS-SHLLINK binary format specification.

The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams. Each of these structures is 114 bytes in size, followed by a variable length Unicode string.


Offset Size Description
0x48 16 bytes NetBIOS name of the system; padded with zeros to 16 bytes
0x58 8 bytes Stream number; corresponds to the numbered stream within the jump list
0x64 8 bytes FILETIME object
0x70 2 bytes Number of Unicode characters in the string that follows


CustomDestinations

Path: C:\Users\user\Recent\CustomDestinations
Files: *.customDestinations-ms

Structure

AppIDs

List of Jump List IDsWindows