Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/kacos2000/Jumplist-Browser
Automatic/Custom Destinations & LNK (MS-SHLLINK) Browser
https://github.com/kacos2000/Jumplist-Browser
00021401-0000-0000-c000-000000000046 1sps automaticdestinations-ms customdestinations-ms fmid forensic gui gui-application jumplist link lnk mrulist ms-shllink powershell propertylist shell shellbag shelllnk shortcut windows
Last synced: 2 months ago
JSON representation
Automatic/Custom Destinations & LNK (MS-SHLLINK) Browser
- Host: GitHub
- URL: https://github.com/kacos2000/Jumplist-Browser
- Owner: kacos2000
- License: gpl-2.0
- Created: 2022-11-15T17:27:30.000Z (about 2 years ago)
- Default Branch: master
- Last Pushed: 2024-02-25T21:44:26.000Z (11 months ago)
- Last Synced: 2024-11-06T06:16:10.710Z (2 months ago)
- Topics: 00021401-0000-0000-c000-000000000046, 1sps, automaticdestinations-ms, customdestinations-ms, fmid, forensic, gui, gui-application, jumplist, link, lnk, mrulist, ms-shllink, powershell, propertylist, shell, shellbag, shelllnk, shortcut, windows
- Language: PowerShell
- Homepage: https://kacos2000.github.io/Jumplist-Browser/
- Size: 13.3 MB
- Stars: 30
- Watchers: 2
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE
Awesome Lists containing this project
- awesome-starz - kacos2000/Jumplist-Browser - Automatic/Custom Destinations & LNK (MS-SHLLINK) Browser (PowerShell)
README
## Jumplist-Browser
Automatic/Custom Destinations & LNK (ShellLNK) Browser==> [Latest version](https://github.com/kacos2000/Jumplist-Browser/releases/latest) <==
___________________________________________
Dependencies:
- Operating system: Microsoft Windows 10+ 64 Bit
- [.NET Framework 4.8](https://dotnet.microsoft.com/en-us/download/dotnet-framework/net48)
- [Powershell Version: 5.1](https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/install/windows-powershell-system-requirements?view=powershell-5.1)
___________________________________________
Supports:
- Link: (.lnk) shortcut files
- Frequent Places Lists: '.customDestinations-ms' and '.automaticDestinations-ms' files
- Raw image files: '.001', '.raw','.dd', '.img', '.ima' *via the 'Open File' dialog* - *(carves and shows .lnk files and their offsets)*
- Current User (HKCU) keys which contain Shellink items:
- 'Software\Microsoft\Windows\Shell\BagMRU'
- 'Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\':
- 'OpenSavePidlMRU'
- 'LastVisitedPidlMRU'
- 'LastVisitedPidlMRULegacy'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\TWinUI\FilePicker\LastVisitedPidlMRU'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\Streams'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery'
- 'Software\Microsoft\Windows\CurrentVersion\Search'
- 'JumplistData' &
- 'RecentApps'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband':
- Favorites'
- 'FavoritesResolve'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2':
- 'Favorites'
- 'FavoritesResolve'
- 'ProgramsCache'
- 'ProgramsCacheSMP'
- 'ProgramsCacheTBP'
- 'Software\Microsoft\Windows\CurrentVersion\Lock Screen' *(Lock screen background image(s))*
___________________________________________
Features:
- Shows the [64-bit file size *(when a target file size is greater than 4Gb (0xFFFFFFFF))*](https://github.com/kacos2000/Jumplist-Browser/releases/tag/v.0.0.37.0)
*(DWORD nFileSizeHigh + DWORD nFileSizeLow)*
- Shows [Reparse Point Tags](https://github.com/kacos2000/Jumplist-Browser/releases/tag/v.0.0.33.0) & their description
- Shows customDestinations ['CustomCategory' titles](https://github.com/kacos2000/Jumplist-Browser/assets/11378310/0c1f9909-59ce-4330-b036-a21d995a1406)
- Shows Pin Entry *(item order)* number of pinned items in automaticDestinations-ms
- Shows Quick Access position *(item order)* in automaticDestinations-ms
- Supports the 'DestListPropertyStore' stream in automaticDestinations-ms
- Supports PropertyStore extensions in automaticDestinations-ms 'DestList' stream entries
- Shows Serialized Property descriptions for most [FormatID/PropertyID combinations](https://github.com/kacos2000/Jumplist-Browser/blob/master/FormatID-Descriptions.csv)
- Shows the [Application name](https://github.com/kacos2000/Jumplist-Browser/blob/master/AppIdlist.csv) for known [CRC64 hashes](https://www.hexacorn.com/blog/2013/04/30/jumplists-file-names-and-appid-calculator/) in Destinations-ms files
- Resolves CLSIDs, [SID](https://github.com/kacos2000/Jumplist-Browser/releases/tag/v.1.0.3.0)s, File Attribute & SFGAO flags, Stock Icon IDs, [MAC address/manufacturer](https://github.com/kacos2000/Jumplist-Browser/releases/tag/v.1.0.5.0) etc
- [Single executable *(x64)*](https://github.com/kacos2000/Jumplist-Browser/releases/latest) => can be used with [Arsenal Image Mounter](https://arsenalrecon.com/products/arsenal-image-mounter) & [Virtual machines](https://github.com/kacos2000/Jumplist-Browser/assets/11378310/5371c027-3155-4d81-9d32-b7035ea510fa)
- Can [export to .JSON](https://github.com/kacos2000/Jumplist-Browser/releases/tag/v.0.0.52.0)___________________________________________
Sample screenshots:
---------------------------------------------------------------------------------------------------------------
### [TIP]:
In **'automaticDestinations-ms'** files, with the exception of *Windows Control Panel*, *Windows Explorer* and *Quick Access*,
entries usually include a 'Hint' on which Application they are related to.
These 'hints' are seen in the last IDlist entry (type [32] *(File)*):either indirectly:
MPC-HC *(Media Player Classic - Home Cinema)*:
MS Excel:
Edge Browser:
*(the "**AppX**d4nrz8ff68srnhf9t5a8sbjyar1cr723" type entries can be looked up in:
'HKLM::Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs')*or Directly:
Windows Wordpad:
Modern CSV:
Maël Hörz's [HxD Hex Editor](https://mh-nexus.de/en/hxd/)
___________________________________________
References:
- [Shell Link (.LNK) Binary File Format](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/a6c2f32d-2297-4727-bcd3-5d3669573bcb)
*The most important component of a link target namespace is a link target in the form of an item ID list (IDList)*
- [Serialized Property Store](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-propstore/3453fb82-0e4f-4c2c-bc04-64b4bd2c51ec)
- [Shell Namespace](https://learn.microsoft.com/en-us/windows/win32/shell/namespace-intro?redirectedfrom=MSDN)
- [Windows Data Types](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/cca27429-5689-4a16-b2b4-9325d93e4ba2)
- [LnkSearchMachine](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dltw/6cbc37d6-c74a-4078-8030-19d4de1807bf)
*FileLocation: A VolumeID with an appended ObjectID, which together represent the location of a file at some point in time, though the file might no longer be there. FileLocation values are stored in droid (CDomainRelativeObjId) data structures.*
---------------------------------------------------------------------------------------------------------------
- **Note:** *Uses the following Libraries:*
- [ShellLink .NET Class Library](https://github.com/securifybv/ShellLink) and
- [PropertyStore .NET Class Library](https://github.com/securifybv/PropertyStore)