Difference between pages "Jump Lists" and "Compression"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(AutomaticDestinations)
 
(LZ1)
 
Line 1: Line 1:
{{expand}}
+
{{Expand}}
'''Jump Lists''' are a feature found in Windows 7.
+
  
== Jump Lists ==
+
== External Links ==
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.  Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files. Autodest files are created by the operating system
+
* [http://www.coderforlife.com/ Microsoft Compression Formats]
  
Jump Lists are located in the user profile path, in the C:\Users\''user''\Recent folder.  Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.
+
=== LZ1 ===
 
+
* [http://andyh.org/LZ1.html LZ1]
 
+
=== AutomaticDestinations ===
+
Path: C:\Users\user\Recent\AutomaticDestinations<br>
+
Files: *.automaticDestinations-ms
+
 
+
'''Structure'''<br>
+
The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification. Each of the numbered streams within the file follows the [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format specification.
+
<p>
+
The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list.  This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string.  The first 114 bytes of the structure contains the following information at the corresponding offsets:
+
 
+
<table border="1">
+
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
+
<tr> <td>0x48</td> <td>16 bytes</td> <td>NetBIOS name of the system; padded with zeros to 16 bytes</td> </tr>
+
<tr> <td>0x58</td> <td>8 bytes</td> <td>Stream number; corresponds to the numbered stream within the jump list</td> </tr>
+
<tr> <td>0x64</td> <td>8 bytes</td> <td>[http://support.microsoft.com/kb/188768: FILETIME] object</td> </tr>
+
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
+
</table>
+
 
+
=== CustomDestinations ===
+
Path: C:\Users\user\Recent\CustomDestinations<br>
+
Files: *.customDestinations-ms
+
 
+
Structure
+
 
+
== AppIDs ==
+
[[List of Jump List IDs]]
+
 
+
{{Windows}}
+

Revision as of 01:09, 9 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

External Links

LZ1