Difference between revisions of "Jump Lists"

From ForensicsWiki
Jump to: navigation, search
(CustomDestinations)
(AutomaticDestinations)
Line 9: Line 9:
  
 
=== AutomaticDestinations ===
 
=== AutomaticDestinations ===
Path: C:\Users\user\Recent\AutomaticDestinations
+
Path: C:\Users\user\Recent\AutomaticDestinations<br>
 
+
 
Files: *.automaticDestinations-ms
 
Files: *.automaticDestinations-ms
  
Structure - The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification. Each of the numbered streams within the file follows the [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format specification.
+
Structure<br>
 
+
The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification. Each of the numbered streams within the file follows the [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format specification.
The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list.  This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string.
+
<p>
 
+
The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list.  This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets:
 
+
<p>
 
+
 
<table border="1">
 
<table border="1">
 
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
 
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
Line 25: Line 23:
 
<tr> <td>0x64</td> <td>8 bytes</td> <td>[http://support.microsoft.com/kb/188768: FILETIME] object</td> </tr>
 
<tr> <td>0x64</td> <td>8 bytes</td> <td>[http://support.microsoft.com/kb/188768: FILETIME] object</td> </tr>
 
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
 
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
</table>  
+
</table>
 
+
  
 
=== CustomDestinations ===
 
=== CustomDestinations ===

Revision as of 09:32, 23 August 2011

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Jump Lists are a feature found in Windows 7.

Jump Lists

Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions. Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files. Autodest files are created by the operating system

Jump Lists are located in the user profile path, in the C:\Users\user\Recent folder. Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.


AutomaticDestinations

Path: C:\Users\user\Recent\AutomaticDestinations
Files: *.automaticDestinations-ms

Structure
The autodest files follow the MS-CFB compound file binary format specification. Each of the numbered streams within the file follows the MS-SHLLINK binary format specification.

The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams. Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets: <p>

Offset Size Description
0x48 16 bytes NetBIOS name of the system; padded with zeros to 16 bytes
0x58 8 bytes Stream number; corresponds to the numbered stream within the jump list
0x64 8 bytes FILETIME object
0x70 2 bytes Number of Unicode characters in the string that follows

CustomDestinations

Path: C:\Users\user\Recent\CustomDestinations
Files: *.customDestinations-ms

Structure

AppIDs

List of Jump List IDsWindows