Difference between revisions of "Jump Lists"

From Forensics Wiki
Jump to: navigation, search
(AutomaticDestinations)
(4 intermediate revisions by one user not shown)
Line 9: Line 9:
  
 
=== AutomaticDestinations ===
 
=== AutomaticDestinations ===
Path: C:\Users\user\Recent\AutomaticDestinations
+
Path: C:\Users\user\Recent\AutomaticDestinations<br>
Files: *.automaticDestinations
+
Files: *.automaticDestinations-ms
 
+
Structure - The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification. 
+
  
 +
Structure<br>
 +
The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification. Each of the numbered streams within the file follows the [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format specification.
 +
<p>
 +
The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list.  This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string.  The first 114 bytes of the structure contains the following information at the corresponding offsets:
 +
<p>
 +
<table border="1">
 +
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
 +
<tr> <td>0x48</td> <td>16 bytes</td> <td>NetBIOS name of the system; padded with zeros to 16 bytes</td> </tr>
 +
<tr> <td>0x58</td> <td>8 bytes</td> <td>Stream number; corresponds to the numbered stream within the jump list</td> </tr>
 +
<tr> <td>0x64</td> <td>8 bytes</td> <td>[http://support.microsoft.com/kb/188768: FILETIME] object</td> </tr>
 +
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
 +
</table>
  
 
=== CustomDestinations ===
 
=== CustomDestinations ===
Path: C:\Users\user\Recent\CustomDestinations
+
Path: C:\Users\user\Recent\CustomDestinations<br>
Files: *.customDestinations
+
Files: *.customDestinations-ms
 
+
Structure
+
 
+
  
 +
Structure
  
 +
== AppIDs ==
 
[[List of Jump List IDs]]
 
[[List of Jump List IDs]]
17d3eb086439f0d7 TrueCrypt 7.0a
 
adecfb853d77462a MSWord 2007
 
c71ef2c372d322d7 PGP Desktop 10
 
cdf30b95c55fd785 MSExcel 2007
 
f5ac5390b9115fdb MSPowerPoint 2007
 
 
12dc1ea8e34b5a6 MSPaint 6.1
 
431a5b43435cc60b Python (.pyc)
 
469e4a7982cea4d4 ? (.job)
 
500b8c1d5302fc9c (.pyw)
 
50620fe75ee0093 VMWare Player 3.1.4
 
65009083bfa6a094 (app launched via XPMode)
 
7e4dca80246863e3 Control Panel (?)
 
83b03b46dcd30a0e iTunes 10
 
b0459de4674aab56 (.vmcx)
 
 
  
 
{{Windows}}
 
{{Windows}}

Revision as of 09:32, 23 August 2011

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Jump Lists are a feature found in Windows 7.

Contents

Jump Lists

Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions. Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files. Autodest files are created by the operating system

Jump Lists are located in the user profile path, in the C:\Users\user\Recent folder. Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.


AutomaticDestinations

Path: C:\Users\user\Recent\AutomaticDestinations
Files: *.automaticDestinations-ms

Structure
The autodest files follow the MS-CFB compound file binary format specification. Each of the numbered streams within the file follows the MS-SHLLINK binary format specification.

The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams. Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets: <p>

Offset Size Description
0x48 16 bytes NetBIOS name of the system; padded with zeros to 16 bytes
0x58 8 bytes Stream number; corresponds to the numbered stream within the jump list
0x64 8 bytes FILETIME object
0x70 2 bytes Number of Unicode characters in the string that follows

CustomDestinations

Path: C:\Users\user\Recent\CustomDestinations
Files: *.customDestinations-ms

Structure

AppIDs

List of Jump List IDsWindows

Retrieved from "http://www.forensicswiki.org/w/index.php?title=Jump_Lists&oldid=11029"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox