Difference between revisions of "Jump Lists"

From ForensicsWiki
Jump to: navigation, search
(Initial stub)
 
(CustomDestinations)
(4 intermediate revisions by 2 users not shown)
Line 2: Line 2:
 
'''Jump Lists''' are a feature found in Windows 7.
 
'''Jump Lists''' are a feature found in Windows 7.
  
[[List of Jump List IDs]]
+
== Jump Lists ==
17d3eb086439f0d7 TrueCrypt 7.0a
+
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions. Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files.  Autodest files are created by the operating system
adecfb853d77462a MSWord 2007
+
c71ef2c372d322d7 PGP Desktop 10
+
cdf30b95c55fd785 MSExcel 2007
+
f5ac5390b9115fdb MSPowerPoint 2007
+
  
12dc1ea8e34b5a6 MSPaint 6.1
+
Jump Lists are located in the user profile path, in the C:\Users\''user''\Recent folder. Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.
431a5b43435cc60b Python (.pyc)
+
469e4a7982cea4d4 ? (.job)
+
500b8c1d5302fc9c (.pyw)
+
50620fe75ee0093 VMWare Player 3.1.4
+
65009083bfa6a094 (app launched via XPMode)
+
7e4dca80246863e3 Control Panel (?)
+
83b03b46dcd30a0e iTunes 10
+
b0459de4674aab56 (.vmcx)
+
  
 +
 +
=== AutomaticDestinations ===
 +
Path: C:\Users\user\Recent\AutomaticDestinations
 +
 +
Files: *.automaticDestinations-ms
 +
 +
Structure - The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification. Each of the numbered streams within the file follows the [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format specification.
 +
 +
The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list.  This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string.
 +
 +
 +
 +
<table border="1">
 +
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
 +
<tr> <td>0x48</td> <td>16 bytes</td> <td>NetBIOS name of the system; padded with zeros to 16 bytes</td> </tr>
 +
<tr> <td>0x58</td> <td>8 bytes</td> <td>Stream number; corresponds to the numbered stream within the jump list</td> </tr>
 +
<tr> <td>0x64</td> <td>8 bytes</td> <td>[http://support.microsoft.com/kb/188768: FILETIME] object</td> </tr>
 +
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
 +
</table>
 +
 +
 +
=== CustomDestinations ===
 +
Path: C:\Users\user\Recent\CustomDestinations<br>
 +
Files: *.customDestinations-ms
 +
 +
Structure
 +
 +
== AppIDs ==
 +
[[List of Jump List IDs]]
  
 
{{Windows}}
 
{{Windows}}

Revision as of 09:24, 23 August 2011

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Jump Lists are a feature found in Windows 7.

Jump Lists

Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions. Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files. Autodest files are created by the operating system

Jump Lists are located in the user profile path, in the C:\Users\user\Recent folder. Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.


AutomaticDestinations

Path: C:\Users\user\Recent\AutomaticDestinations

Files: *.automaticDestinations-ms

Structure - The autodest files follow the MS-CFB compound file binary format specification. Each of the numbered streams within the file follows the MS-SHLLINK binary format specification.

The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams. Each of these structures is 114 bytes in size, followed by a variable length Unicode string.


Offset Size Description
0x48 16 bytes NetBIOS name of the system; padded with zeros to 16 bytes
0x58 8 bytes Stream number; corresponds to the numbered stream within the jump list
0x64 8 bytes FILETIME object
0x70 2 bytes Number of Unicode characters in the string that follows


CustomDestinations

Path: C:\Users\user\Recent\CustomDestinations
Files: *.customDestinations-ms

Structure

AppIDs

List of Jump List IDsWindows