What’s a jumplist?

While studying for my GIAC Certified Forensics Examiner certification, I read about jumplists (or jump lists in some documents). Even though I have used these many times, I had never heard the term. It’s easiest to describe what it is by what it looks like. When you right click on an item in the taskbar, you get a list of recent files and sometimes actions. The files (or destinations) in the jumplist are added automatically by Windows based on usage (accessing the files from the application); the actions (or tasks) in the jumplist are created by the application itself. These are stored in two directories, %userprofile%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations and %userprofile%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations.

The AutomaticDestinations directory contains files for each application, one file per application, named XXXXXXXXXXXXXXXX.automaticDestinations-ms (X represents the 16 character AppID). The data in the files are stored in the Structured Storage format. They contain links (.LNK) to files opened by the application, a timestamp that shows the date the .LNK was created, the MFU/MRU (Most Frequently Used/Most Recently Used) sequence, and the full path of the directory or file that was accessed. These links exist even if the file itself has been deleted.

A custom jumplist provides access to application specific tasks (like in-private browsing). This jumplist can be populated with tasks designed by the application developer or by the user pinning an application to the start bar. CustomDestinations files use the same naming convention as AutomaticDestinations above (except use customDestination in the file names) and may contain information like Google searches or other browser history, but does not contain the exact time that the activity occurred.

One of the interesting things about these directories is that you cannot browse them in Explorer. You can type the path in Explorer and see the files in the directory. You can also see them at the command line with a dir command or in PowerShell with the get-item command. At the command line, you can delete the AutomaticDestinations directory, but Windows will recreate the directory and begin re-populating the jumplists as you open files.

Another interesting thing about jumplists is how it is different from MRU (Recent). The MRU is stored in the registry under \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU\ and stores up to 20 items by default. AutomaticDestinations does not appear to have a limit and can store hundreds of items.

A few remaining questions…

  • How can I get the AutomaticDestinations to display in Explorer?
  • Is there a limit to the number of items in the AutomaticDestinations folder?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website with WordPress.com
Get started
%d bloggers like this: