Difference between pages "Jump Lists" and "User Account Control (UAC)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(AutomaticDestinations)
 
(External Links)
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
'''Jump Lists''' are a feature found in Windows 7.
 
  
== Jump Lists ==
+
User Account Control (UAC) is a Windows sub-system introduced in Windows Vista that limits application software to standard user privileges until an administrator authorizes an increase or elevation.
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.  Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files.  Autodest files are created by the operating system
+
  
Jump Lists are located in the user profile path, in the C:\Users\''user''\Recent folder. Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.
+
The file virtualization part of UAC is also referred to as LUA (LUAFV.SYS).
  
''Author's Note'': Jump Lists can prove to be considerably valuable during an examination, as the files appear (in limited testing) to persist after the application itself is removed from the system.  In one test, iTunes 10 was installed on a 64-bit Windows 7 system, and two audio files (i.e., [http://www.cyberspeak.libsyn.com: CyberSpeak podcasts]) were launched via iTunes.  The Jump Lists persisted after the iTunes was removed from the system.
+
== EventLogs ==
 
+
Related EventLogs:
=== AutomaticDestinations ===
+
<pre>
Path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations<br>
+
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx
Files: *.automaticDestinations-ms
+
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx
 
+
</pre>
'''Structure'''<br>
+
The autodest files is an [[OLE Compound File]]. Each of the numbered streams within the file follows the [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format specification.
+
<p>
+
The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list.  This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string.  The first 114 bytes of the structure contains the following information at the corresponding offsets:
+
 
+
<table border="1">
+
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
+
<tr> <td>0x48</td> <td>16 bytes</td> <td>NetBIOS name of the system; padded with zeros to 16 bytes</td> </tr>
+
<tr> <td>0x58</td> <td>8 bytes</td> <td>Stream number; corresponds to the numbered stream within the jump list</td> </tr>
+
<tr> <td>0x64</td> <td>8 bytes</td> <td>[http://support.microsoft.com/kb/188768: FILETIME] object</td> </tr>
+
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
+
</table>
+
 
+
=== CustomDestinations ===
+
Path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations<br>
+
Files: *.customDestinations-ms
+
 
+
'''Structure'''<br>
+
Custdest files reportedly follow a structure of sequential [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format segments.
+
 
+
=== Tools ===
+
* Autodest files can be opened in tools such as the [http://mitec.cz/ssv.html: MiTec Structured Storage Viewer], and each of the streams individually/manually extracted.  Each of the extracted numbered streams can then be viewed via the [http://mitec.cz/wfa.html: Windows File Analyzer].
+
* Another approach would be to use Mark Woan's [http://www.woanware.co.uk/?p=265: JumpLister] tool to view the information within the numbered streams of each autodest file.
+
* TZWorks LLC [http://tzworks.net/prototype_page.php?proto_id=20 Jump List Parser (jmp)] also has a tool that can parse both the custom and automatic Destinations type files.  For automaticDestinations it associates the MRU/MFU metadata with that of the SHLLINK metadata. There are versions of the tool that can run in Windows, Linux or Mac OS-X.
+
 
+
== See also ==
+
* [[List of Jump List IDs]]
+
* [[Windows]]
+
  
 
== External Links ==
 
== External Links ==
 +
* [http://en.wikipedia.org/wiki/User_Account_Control Wikipedia: User Account Control]
 +
* [http://www.codeproject.com/Articles/19165/Vista-UAC-The-Definitive-Guide Vista UAC: The Definitive Guide]
 +
* [http://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx The deal with LUAFV.SYS], Alex Carp, June 25, 2009
 +
* [http://journeyintoir.blogspot.ch/2012/10/you-are-not-admin-with-uac.html You Are Not Admin with UAC], by [[Corey Harrell]], October 8, 2012
 +
* [http://journeyintoir.blogspot.ch/2013/03/uac-impact-on-malware.html UAC Impact on Malware], by [[Corey Harrell]], March 4, 2013
  
 
[[Category:Windows]]
 
[[Category:Windows]]

Revision as of 01:45, 6 March 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

User Account Control (UAC) is a Windows sub-system introduced in Windows Vista that limits application software to standard user privileges until an administrator authorizes an increase or elevation.

The file virtualization part of UAC is also referred to as LUA (LUAFV.SYS).

EventLogs

Related EventLogs:

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx 

External Links