Introduction 📝
Jumplist files are a Windows artifact introduced in Windows 7 that track user activity by storing a list of recently accessed files, folders, or URLs associated with specific applications. These files store the Recent and Frequent lists you see when right clicking an application icon on the taskbar or Start menu. These files are very useful artifacts during Digital Forensics and Incident Response work.
Here is some of the information Jumplist file help us with:
- User activities, what files or folders the user recently accessed
- Application usage, if the app has an
AutomaticDistinationentry, then that means it has been executed - Timeline analysis, fill the gaps when performing timeline analyzing
- Deleted files metadata, when file is deleted the MFT record becomes unallocated, Jumplist for the default application for that file. For example, we can find traces of a compressed file in the Jumplist even if the actual file is deleted, this is helpful to identify potentially exfiltrated files.
Jumplist Files 📂
Jumplist files are located in the user’s profile under the following path:
%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\
%APPDATA%\Microsoft\Windows\Recent\CustomDestinations\
Each file is associated with a specific application, identified by a hashed AppID in the filename. This post provides a good reference for the hash algorithm used. You can get the AppIDs for the applications installed on the systems using this command in Windows 11 (id field):
winget list
Automatic vs. Custom Jumplists
| Type | File Extension | Description |
|---|---|---|
| Automatic | .automaticDestinations-ms |
Automatically created by Windows |
| Custom | .customDestinations-ms |
Contains custom application defined task (ex. Create new Project) |
AutomaticDestinations usually contain more valuable forensic information and tend to have a greater number of entries compared to CustomDestinations. However, some applications that define custom tasks will only generate a CustomDestinations file, which may or may not track recent user activity.
For example:
VSCodeuses aCustomDestinationsfile that includes both custom tasks and a history of recently opened folders.- In contrast,
VMware Workstationalso have aCustomDestinationsfile, but only to define a task to create a new VM, it doesn’t record previously used virtual machines.
Structure 🧩
AutomaticDestinations 🤖
AutomaticDestinations files are stored in the Compound File Binary (CFB) format. You can think of CFB as a container that holds multiple internal streams (files). These files can be opened and inspected using tools like 7-Zip.
Inside an AutomaticDestinations file, you’ll typically find:
- DestList:
A structured stream that holds metadata about the recent file or folder accesses, such as access times, usage count, and entry number corresponding to the LNK file. - <HEX_NUMBER>:
One or more streams named with hexadecimal values. Each of these are a LNK file, which corresponds to an entry in theDestList.
DestList contain the following:
- A header
- Array of entries
The structure is shown below
DestList Header
| Offset | Field Name | Type | Size (Bytes) | Description |
|---|---|---|---|---|
| 0x00 | version |
u32 | 4 | DestList version |
| 0x04 | number_of_entries |
u32 | 4 | Total number of entries in the DestList |
| 0x08 | number_of_pinned_entries |
u32 | 4 | Number of pinned items (can be 0) |
| 0x0C | unknown / reserved | - | 20 | Unknown or reserved data |
DestList Entry
| Offset | Field Name | Type | Size (Bytes) | Description |
|---|---|---|---|---|
| 0x00 | unknown | - | 8 | Unknown or reserved data |
| 0x08 | volume_droid |
GUID | 16 | GUID of the volume where the file resides |
| 0x18 | file_droid |
GUID | 16 | GUID uniquely identifying the file |
| 0x28 | volume_birth_droid |
GUID | 16 | GUID marking the volume creation time |
| 0x38 | file_birth_droid |
GUID | 16 | GUID marking the file creation time |
| 0x48 | hostname |
String | 16 | UTF-8 hostname string (padded or null-terminated) |
| 0x58 | entry_number |
u32 | 4 | Index used to match a corresponding .lnk stream in the CFB file |
| 0x5C | unknown | - | 8 | Unknown or reserved data |
| 0x64 | mtime |
FileTime | 8 | Windows FILETIME for last modification time |
| 0x6C | pinned_flag |
u32 (or i32) | 4 | Set to 0xFFFFFFFF if not pinned, other values if pinned |
| 0x70 | unknown | - | 16 | Unknown (exists only in version > 1) |
| 0x80 | path_size |
u16 | 2 | Length of the UTF-16 path (in characters) |
| 0x82 | path |
String | - | UTF-16LE encoded string of the file/folder path |
| - | unknown | - | 4 | Final skip if version > 1 (unknown, maybe padding) |
For the LNK files corresponding with the DestList entries, refer to my blog post about LNK file structure here
CustomDestinations ✍️
CustomDestinations files use a proprietary binary format that organizes data into structured categories, each potentially containing one or more LNK entries. Unlike AutomaticDestinations, these files are not stored in CFB format.
This type of Jumplist files contains custom actions defined by the application. The example below is for VSCode:
Each file starts with a header, followed by one or more category.
Inside a CustomDestinations file, you’ll typically find:
- Header:
Contains metadata like the file version and the number of categories. - Array of
category:
One or more category blocks, each of which falls into one of three types:- Custom: app defined category (ex. Projects)
- Known: Predefined categories wither Frequent = 0x01 or Recent = 0x02. During testing, I found that some categories with the type Known have the value 0xffffffff. From Microsoft documentation here, This is NONE. It looks like it is just a place holder, as at lest one category should be present.
- Task: Shortcut tasks (ex. Create New Document)
The structure is shown below
| Offset | Field Name | Type | Size (Bytes) | Description |
|---|---|---|---|---|
| 0x00 | version |
u32 | 4 | File format version |
| 0x04 | num_of_cat |
u32 | 4 | Number of categories in the file |
| 0x08 | unknown | - | 4 | Always 0x00000000 in observed files (likely reserved) |
| 0x0C | categories |
Vec<Category> | - | An array of category structure |
Category 🗂️
| Offset | Field Name | Type | Size (Bytes) | Description |
|---|---|---|---|---|
| 0x00 | type |
u32 | 4 | Category type: 0x00 = Custom, 0x01 = Known, 0x02 = Task |
Custom Category (type = 0x00) 🏷️
| Offset | Field Name | Type | Size (Bytes) | Description |
|---|---|---|---|---|
| 0x04 | name_len |
u16 | 2 | Length of the category name in UTF-16 characters |
| 0x06 | name |
String | - | Category name (UTF-16LE encoded) |
| - | num_of_entries |
u32 | 4 | Number of LNK entries |
| - | entries |
Vec<LNK> | - | List of LNK entries preceded by 16-byte CLSID |
| - | footer | - | 4 | Footer (0xbabffbab) |
Known Category (type = 0x01) 🧠
| Offset | Field Name | Type | Size (Bytes) | Description |
|---|---|---|---|---|
| 0x04 | id |
u32 | 4 | Category ID: 0x01 = Frequent, 0x02 = Recent. Seen a lot of 0xffffffff during testing, this is unknown ID |
| 0x08 | footer | - | 4 | Footer (0xbabffbab) |
Task Category (type = 0x02) 🛠️
| Offset | Field Name | Type | Size (Bytes) | Description |
|---|---|---|---|---|
| 0x04 | num_of_entries |
u32 | 4 | Number of LNK entries |
| - | entries |
Vec<LNK> | - | List of LNK entries preceded by 16-byte CLSID |
| - | footer | - | 4 | Footer (0xbabffbab) |
Parser 🦀
Now, after we talked about Jumplist structure, It is time for some Crab 🦀! I wrote a library and a CLI tool to parse Jumplist files in Rust. Here is its features:
- Output the data in either
CSV,JSONLandJSONformat - Parses both
CustomDestinationsandAutomaticDestinationsfiles - Parses the embedded LNK files to get a full context
- A library to be used with other projects
- Mapping
AppIDhash toAppName(ex.faef7def55a1d4b->VLC 2.2.6)
Here is the help message for the Jumplist parser:
Created By: AbdulRhman Alfaifi <@A__ALFAIFI>
Version: v0.1.0
Reference: https://u0041.co/posts/articals/jumplist-files-artifacts/
Windows Jumplist Files Parser
Usage: jumplist_parser [OPTIONS]
Options:
-p, --path <PATH> Path(s) to Jumplist files to be parsed - accepts glob (defaults to 'AutomaticDestinations' & 'CustomDestinations' for all users)
-o, --output <FILE> The file path to write the output to [default: stdout]
--output-format <output-format> Output format [default: csv] [possible values: csv, jsonl, json]
--no-headers Don't print headers when using CSV as the output format
--normalize Normalize the result to the most important fields
-h, --help Print help
-V, --version Print version
This is an example output of an AutomaticDestination for VLC:
Show example JSON - 979 lines
{
"app_id": "faef7def55a1d4b",
"app_name": "VLC 2.2.6",
"type": "automatic",
"source_path": "samples/win11/AutomaticDestinations/faef7def55a1d4b.automaticDestinations-ms",
"data": {
"header": {
"version": 4,
"number_of_entries": 4,
"number_of_pinned_entries": 0
},
"entries": [
{
"volume_droid": "E193D864-C7E0-4660-896E-E4E81879E74C",
"file_droid": "663732C2-5C0D-11F0-8152-BC241114E2F4",
"volume_birth_droid": "E193D864-C7E0-4660-896E-E4E81879E74C",
"file_birth_droid": "663732C2-5C0D-11F0-8152-BC241114E2F4",
"hostname": "win11",
"entry_number": 4,
"mtime": "2025-07-09T00:14:18Z",
"pined": false,
"path": "C:\\Users\\u0041\\Desktop\\sim\\files\\video\\mkv\\sample_640x360.mkv",
"lnk": {
"target_full_path": "C:\\Users\\u0041\\Desktop\\sim\\files\\video\\mkv\\sample_640x360.mkv",
"shell_link_header": {
"file_attr": [
"ARCHIVE"
],
"mtime": "2025-07-09T00:12:36Z",
"atime": "2025-07-09T00:14:14Z",
"ctime": "2025-07-09T00:06:24Z",
"file_size": 573066,
"hot_key": null
},
"link_target_id_list": {
"id_list": [
{
"shell_item_data": {
"root": {
"sort_index": "MY_COMPUTER",
"guid": "20D04FE0-3AEA-1069-A2D8-08002B30309D"
}
}
},
{
"shell_item_data": {
"volume": {
"is_removable_media": false,
"name": "C:\\"
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "Users",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "Users"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "u0041",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "u0041"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "Desktop",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "Desktop"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "sim",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "sim"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "files",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "files"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "video",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "video"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "mkv",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "mkv"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": true,
"file_size": 573066,
"mtime": "2025-07-09T00:12:38Z",
"file_attr_flags": [
"ARCHIVE"
],
"name": "SAMPLE~2.MKV",
"extention_block": {
"ctime": "2025-07-09T00:06:26Z",
"atime": "2025-07-09T00:14:16Z",
"file_ref": {
"mft_entry": 326114,
"sequence_number": 1
},
"primary_name": "sample_640x360.mkv"
}
}
}
}
]
},
"link_info": {
"volume_id": {
"drive_type": "DRIVE_FIXED",
"serial_number": "607A-53E4"
},
"local_base_path": "C:\\Users\\u0041\\Desktop\\sim\\files\\video\\mkv\\sample_640x360.mkv"
},
"extra_data": {
"extra_data_blocks": [
{
"tracker": {
"machine_id": "win11",
"file_droid": "663732C2-5C0D-11F0-8152-BC241114E2F4",
"volume_droid": "E193D864-C7E0-4660-896E-E4E81879E74C",
"file_droid_birth": "663732C2-5C0D-11F0-8152-BC241114E2F4",
"volume_droid_birth": "E193D864-C7E0-4660-896E-E4E81879E74C",
"mac_address": "BC:24:11:14:E2:F4"
}
}
]
}
}
},
{
"volume_droid": "E193D864-C7E0-4660-896E-E4E81879E74C",
"file_droid": "66373208-5C0D-11F0-8152-BC241114E2F4",
"volume_birth_droid": "E193D864-C7E0-4660-896E-E4E81879E74C",
"file_birth_droid": "66373208-5C0D-11F0-8152-BC241114E2F4",
"hostname": "win11",
"entry_number": 3,
"mtime": "2025-07-09T00:09:20Z",
"pined": false,
"path": "C:\\Users\\u0041\\Desktop\\sim\\files\\audio\\aiff\\sample2.aiff",
"lnk": {
"target_full_path": "C:\\Users\\u0041\\Desktop\\sim\\files\\audio\\aiff\\sample2.aiff",
"shell_link_header": {
"file_attr": [
"ARCHIVE"
],
"mtime": "2025-07-09T00:08:49Z",
"atime": "2025-07-09T00:08:49Z",
"ctime": "2025-07-09T00:08:49Z",
"file_size": 38342102,
"hot_key": null
},
"link_target_id_list": {
"id_list": [
{
"shell_item_data": {
"root": {
"sort_index": "MY_COMPUTER",
"guid": "20D04FE0-3AEA-1069-A2D8-08002B30309D"
}
}
},
{
"shell_item_data": {
"volume": {
"is_removable_media": false,
"name": "C:\\"
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "Users",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "Users"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "u0041",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "u0041"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "Desktop",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "Desktop"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "sim",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "sim"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "files",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "files"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "audio",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "audio"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "aiff",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "aiff"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": true,
"file_size": 38342102,
"mtime": "2025-07-09T00:08:50Z",
"file_attr_flags": [
"ARCHIVE"
],
"name": "SAMPLE~3.AIF",
"extention_block": {
"ctime": "2025-07-09T00:08:50Z",
"atime": "2025-07-09T00:08:50Z",
"file_ref": {
"mft_entry": 326382,
"sequence_number": 1
},
"primary_name": "sample2.aiff"
}
}
}
}
]
},
"link_info": {
"volume_id": {
"drive_type": "DRIVE_FIXED",
"serial_number": "607A-53E4"
},
"local_base_path": "C:\\Users\\u0041\\Desktop\\sim\\files\\audio\\aiff\\sample2.aiff"
},
"extra_data": {
"extra_data_blocks": [
{
"tracker": {
"machine_id": "win11",
"file_droid": "66373208-5C0D-11F0-8152-BC241114E2F4",
"volume_droid": "E193D864-C7E0-4660-896E-E4E81879E74C",
"file_droid_birth": "66373208-5C0D-11F0-8152-BC241114E2F4",
"volume_droid_birth": "E193D864-C7E0-4660-896E-E4E81879E74C",
"mac_address": "BC:24:11:14:E2:F4"
}
}
]
}
}
},
{
"volume_droid": "E193D864-C7E0-4660-896E-E4E81879E74C",
"file_droid": "663731EC-5C0D-11F0-8152-BC241114E2F4",
"volume_birth_droid": "E193D864-C7E0-4660-896E-E4E81879E74C",
"file_birth_droid": "663731EC-5C0D-11F0-8152-BC241114E2F4",
"hostname": "win11",
"entry_number": 2,
"mtime": "2025-07-09T00:08:51Z",
"pined": false,
"path": "C:\\Users\\u0041\\Desktop\\sim\\files\\audio\\dts\\sample3.dts",
"lnk": {
"target_full_path": "C:\\Users\\u0041\\Desktop\\sim\\files\\audio\\dts\\sample3.dts",
"shell_link_header": {
"file_attr": [
"ARCHIVE"
],
"mtime": "2025-07-09T00:08:22Z",
"atime": "2025-07-09T00:08:22Z",
"ctime": "2025-07-09T00:06:13Z",
"file_size": 18659328,
"hot_key": null
},
"link_target_id_list": {
"id_list": [
{
"shell_item_data": {
"root": {
"sort_index": "MY_COMPUTER",
"guid": "20D04FE0-3AEA-1069-A2D8-08002B30309D"
}
}
},
{
"shell_item_data": {
"volume": {
"is_removable_media": false,
"name": "C:\\"
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "Users",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "Users"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "u0041",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "u0041"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "Desktop",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "Desktop"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "sim",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "sim"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "files",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "files"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "audio",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "audio"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "dts",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "dts"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": true,
"file_size": 18659328,
"mtime": "2025-07-09T00:08:24Z",
"file_attr_flags": [
"ARCHIVE"
],
"name": "sample3.dts",
"extention_block": {
"ctime": "2025-07-09T00:06:14Z",
"atime": "2025-07-09T00:08:24Z",
"file_ref": {
"mft_entry": 326009,
"sequence_number": 1
},
"primary_name": "sample3.dts"
}
}
}
}
]
},
"link_info": {
"volume_id": {
"drive_type": "DRIVE_FIXED",
"serial_number": "607A-53E4"
},
"local_base_path": "C:\\Users\\u0041\\Desktop\\sim\\files\\audio\\dts\\sample3.dts"
},
"extra_data": {
"extra_data_blocks": [
{
"tracker": {
"machine_id": "win11",
"file_droid": "663731EC-5C0D-11F0-8152-BC241114E2F4",
"volume_droid": "E193D864-C7E0-4660-896E-E4E81879E74C",
"file_droid_birth": "663731EC-5C0D-11F0-8152-BC241114E2F4",
"volume_droid_birth": "E193D864-C7E0-4660-896E-E4E81879E74C",
"mac_address": "BC:24:11:14:E2:F4"
}
}
]
}
}
},
{
"volume_droid": "E193D864-C7E0-4660-896E-E4E81879E74C",
"file_droid": "663731E5-5C0D-11F0-8152-BC241114E2F4",
"volume_birth_droid": "E193D864-C7E0-4660-896E-E4E81879E74C",
"file_birth_droid": "663731E5-5C0D-11F0-8152-BC241114E2F4",
"hostname": "win11",
"entry_number": 1,
"mtime": "2025-07-09T00:08:29Z",
"pined": false,
"path": "C:\\Users\\u0041\\Desktop\\sim\\files\\audio\\dts\\sample1.dts",
"lnk": {
"target_full_path": "C:\\Users\\u0041\\Desktop\\sim\\files\\audio\\dts\\sample1.dts",
"shell_link_header": {
"file_attr": [
"ARCHIVE"
],
"mtime": "2025-07-09T00:08:23Z",
"atime": "2025-07-09T00:08:23Z",
"ctime": "2025-07-09T00:06:08Z",
"file_size": 21538816,
"hot_key": null
},
"link_target_id_list": {
"id_list": [
{
"shell_item_data": {
"root": {
"sort_index": "MY_COMPUTER",
"guid": "20D04FE0-3AEA-1069-A2D8-08002B30309D"
}
}
},
{
"shell_item_data": {
"volume": {
"is_removable_media": false,
"name": "C:\\"
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "Users",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "Users"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "u0041",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "u0041"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "Desktop",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "Desktop"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "sim",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "sim"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "files",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "files"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "audio",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "audio"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "1980-01-01T00:00:00Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "dts",
"extention_block": {
"ctime": "1980-01-01T00:00:00Z",
"atime": "1980-01-01T00:00:00Z",
"file_ref": {
"mft_entry": 0,
"sequence_number": 0
},
"primary_name": "dts"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": true,
"file_size": 21538816,
"mtime": "2025-07-09T00:08:24Z",
"file_attr_flags": [
"ARCHIVE"
],
"name": "sample1.dts",
"extention_block": {
"ctime": "2025-07-09T00:06:10Z",
"atime": "2025-07-09T00:08:24Z",
"file_ref": {
"mft_entry": 325962,
"sequence_number": 1
},
"primary_name": "sample1.dts"
}
}
}
}
]
},
"link_info": {
"volume_id": {
"drive_type": "DRIVE_FIXED",
"serial_number": "607A-53E4"
},
"local_base_path": "C:\\Users\\u0041\\Desktop\\sim\\files\\audio\\dts\\sample1.dts"
},
"extra_data": {
"extra_data_blocks": [
{
"tracker": {
"machine_id": "win11",
"file_droid": "663731E5-5C0D-11F0-8152-BC241114E2F4",
"volume_droid": "E193D864-C7E0-4660-896E-E4E81879E74C",
"file_droid_birth": "663731E5-5C0D-11F0-8152-BC241114E2F4",
"volume_droid_birth": "E193D864-C7E0-4660-896E-E4E81879E74C",
"mac_address": "BC:24:11:14:E2:F4"
}
}
]
}
}
}
]
}
}
This is an example output for CustomDestination file for VSCode:
Show example JSON - 279 lines
{
"app_id": "1ced32d74a95c7bc",
"app_name": "Microsoft Visual Studio Code",
"type": "custom",
"source_path": "samples/win11/CustomDestinations/1ced32d74a95c7bc.customDestinations-ms",
"data": {
"header": {
"version": 2,
"num_of_cat": 3
},
"entries": [
{
"type": "task",
"num_of_entries": 1,
"entries": [
{
"target_full_path": "C:\\Program Files\\Microsoft VS Code\\Code.exe",
"shell_link_header": {
"file_attr": [
"ARCHIVE"
],
"mtime": "2025-06-24T17:48:40Z",
"atime": "2025-07-09T00:04:47Z",
"ctime": "2025-07-08T14:34:41Z",
"file_size": 192449080,
"hot_key": null
},
"link_target_id_list": {
"id_list": [
{
"shell_item_data": {
"root": {
"sort_index": "MY_COMPUTER",
"guid": "20D04FE0-3AEA-1069-A2D8-08002B30309D"
}
}
},
{
"shell_item_data": {
"volume": {
"is_removable_media": false,
"name": "C:\\"
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "2025-07-08T14:35:38Z",
"file_attr_flags": [
"READONLY",
"DIRECTORY"
],
"name": "PROGRA~1",
"extention_block": {
"ctime": "2021-06-05T12:10:50Z",
"atime": "2025-07-08T23:17:58Z",
"file_ref": {
"mft_entry": 66,
"sequence_number": 1
},
"primary_name": "P"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "2025-07-08T14:34:56Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "MICROS~2",
"extention_block": {
"ctime": "2025-07-08T14:34:42Z",
"atime": "2025-07-08T23:17:58Z",
"file_ref": {
"mft_entry": 97448,
"sequence_number": 4
},
"primary_name": "Microsoft VS Code"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": true,
"file_size": 192449080,
"mtime": "2025-06-24T17:48:40Z",
"file_attr_flags": [
"ARCHIVE"
],
"name": "Code.exe",
"extention_block": {
"ctime": "2025-07-08T14:34:42Z",
"atime": "2025-07-08T23:19:40Z",
"file_ref": {
"mft_entry": 99219,
"sequence_number": 2
},
"primary_name": "Code.exe"
}
}
}
}
]
},
"link_info": {
"volume_id": {
"drive_type": "DRIVE_FIXED",
"serial_number": "607A-53E4"
},
"local_base_path": "C:\\Program Files\\Microsoft VS Code\\Code.exe"
},
"name_string": "Opens a new window",
"command_line_arguments": "-n",
"icon_location": "C:\\Program Files\\Microsoft VS Code\\Code.exe",
"extra_data": {
"extra_data_blocks": [
{
"tracker": {
"machine_id": "win11",
"file_droid": "2A36BD15-5C06-11F0-8152-BC241114E2F4",
"volume_droid": "E193D864-C7E0-4660-896E-E4E81879E74C",
"file_droid_birth": "2A36BD15-5C06-11F0-8152-BC241114E2F4",
"volume_droid_birth": "E193D864-C7E0-4660-896E-E4E81879E74C",
"mac_address": "BC:24:11:14:E2:F4"
}
}
]
}
}
]
},
{
"type": "custom",
"name": "Recent Folders",
"num_of_entries": 1,
"entries": [
{
"target_full_path": "C:\\Program Files\\Microsoft VS Code\\Code.exe",
"shell_link_header": {
"file_attr": [
"ARCHIVE"
],
"mtime": "2025-06-24T17:48:40Z",
"atime": "2025-07-09T00:04:47Z",
"ctime": "2025-07-08T14:34:41Z",
"file_size": 192449080,
"hot_key": null
},
"link_target_id_list": {
"id_list": [
{
"shell_item_data": {
"root": {
"sort_index": "MY_COMPUTER",
"guid": "20D04FE0-3AEA-1069-A2D8-08002B30309D"
}
}
},
{
"shell_item_data": {
"volume": {
"is_removable_media": false,
"name": "C:\\"
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "2025-07-08T14:35:38Z",
"file_attr_flags": [
"READONLY",
"DIRECTORY"
],
"name": "PROGRA~1",
"extention_block": {
"ctime": "2021-06-05T12:10:50Z",
"atime": "2025-07-08T23:17:58Z",
"file_ref": {
"mft_entry": 66,
"sequence_number": 1
},
"primary_name": "P"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": false,
"file_size": 0,
"mtime": "2025-07-08T14:34:56Z",
"file_attr_flags": [
"DIRECTORY"
],
"name": "MICROS~2",
"extention_block": {
"ctime": "2025-07-08T14:34:42Z",
"atime": "2025-07-08T23:17:58Z",
"file_ref": {
"mft_entry": 97448,
"sequence_number": 4
},
"primary_name": "Microsoft VS Code"
}
}
}
},
{
"shell_item_data": {
"file_entry": {
"is_file": true,
"file_size": 192449080,
"mtime": "2025-06-24T17:48:40Z",
"file_attr_flags": [
"ARCHIVE"
],
"name": "Code.exe",
"extention_block": {
"ctime": "2025-07-08T14:34:42Z",
"atime": "2025-07-08T23:19:40Z",
"file_ref": {
"mft_entry": 99219,
"sequence_number": 2
},
"primary_name": "Code.exe"
}
}
}
}
]
},
"link_info": {
"volume_id": {
"drive_type": "DRIVE_FIXED",
"serial_number": "607A-53E4"
},
"local_base_path": "C:\\Program Files\\Microsoft VS Code\\Code.exe"
},
"name_string": "C:\\Users\\u0041\\Desktop\\sim",
"command_line_arguments": "--folder-uri \"file:///c%3A/Users/u0041/Desktop/sim\"",
"icon_location": "explorer.exe",
"extra_data": {
"extra_data_blocks": [
{
"tracker": {
"machine_id": "win11",
"file_droid": "2A36BD15-5C06-11F0-8152-BC241114E2F4",
"volume_droid": "E193D864-C7E0-4660-896E-E4E81879E74C",
"file_droid_birth": "2A36BD15-5C06-11F0-8152-BC241114E2F4",
"volume_droid_birth": "E193D864-C7E0-4660-896E-E4E81879E74C",
"mac_address": "BC:24:11:14:E2:F4"
}
}
]
}
}
]
},
{
"type": "known",
"id": "recent"
}
]
}
}
You can also use the library, example usage below:
use jumplist_parser::JumplistParser;
fn main() {
let parsed = JumplistParser::from_path("samples/win11/automaticDestinations/faef7def55a1d4b.automaticDestinations-ms").unwrap();
println!("{:?}", parsed);
}
You can find the library and CLI tool in my Github and in crates.io
Takeaways 🎯
- Jumplist files are valuable forensic artifacts introduced in Windows 7 to track user interaction with applications.
- There are two types of Jumplist files:
- AutomaticDestinations: Created automatically by Windows.
- CustomDestinations: Defined by applications for specific tasks or shortcuts.
- Contains embedded LNK files, which can be parsed for more context.
- Jumplist files aren’t generated for all applications.
Takeaways for AutomaticDestinations:
-
Stored in Compound File Binary (CFB) format, similar to Microsoft Office files.
-
Contains two main components:
- DestList: Stores metadata such as access time, entry index, and file GUIDs.
- <HEX_NUMBERED> streams: Embedded LNK files representing each recent item.
-
Useful for:
- Identifying deleted files that no longer exist on disk.
- Application execution evidence (presence of an AutomaticDestination file for the app indicates the app was launched).
- Enriching timeline analysis with accurate timestamps.
-
Typically provides richer forensic value than
CustomDestinations.
Takeaways for CustomDestinations:
- Uses a proprietary binary format, not CFB.
- Organized into categories of 3 types:
Custom,Known, andTask. - May or may not include usage history, it depends on how the application implements it.
- For example:
- VSCode: Tracks recent folders and defines custom tasks.
- VMware: Only defines tasks (e.g., “Create New VM”) with no history.
- For example:
| Feature | AutomaticDestinations |
CustomDestinations |
|---|---|---|
| Extension | .automaticDestinations-ms |
.customDestinations-ms |
| Created By | Windows (automatically) | Application defined |
| File Format | Compound File Binary (CFB) | Binary format |
| Main Components | DestList + multiple LNK streams |
Header + array of categories + embedded LNKs |
| Categories | Recent |
Custom, Known (Recent/Frequent), Task |
| Tracks Usage History | ✅Yes (Recent files/folders opened by user) | ⚠️ Depends on app (may contain tasks only) |
| Contains LNK Files | ✅ Yes | ✅ Yes |
| Forensic Value | ⭐ High – rich metadata for timeline analysis | ⚠️ Low - depends on app (may contain tasks only) |
| Examples | VLC, Notepad, WinRAR | VSCode, VMware, Calculator |
