Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kacos2000/Jumplist-Browser

Automatic/Custom Destinations & LNK (MS-SHLLINK) Browser
https://github.com/kacos2000/Jumplist-Browser

00021401-0000-0000-c000-000000000046 1sps automaticdestinations-ms customdestinations-ms fmid forensic gui gui-application jumplist link lnk mrulist ms-shllink powershell propertylist shell shellbag shelllnk shortcut windows

Last synced: about 1 month ago
JSON representation

Automatic/Custom Destinations & LNK (MS-SHLLINK) Browser

Awesome Lists containing this project

README

        

## Jumplist-Browser
Automatic/Custom Destinations & LNK (ShellLNK) Browser

==> [Latest version](https://github.com/kacos2000/Jumplist-Browser/releases/latest) <==

___________________________________________
Dependencies:
- Operating system: Microsoft Windows 10+ 64 Bit
- [.NET Framework 4.8](https://dotnet.microsoft.com/en-us/download/dotnet-framework/net48)
- [Powershell Version: 5.1](https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/install/windows-powershell-system-requirements?view=powershell-5.1)
___________________________________________
Supports:
- Link: (.lnk) shortcut files
- Frequent Places Lists: '.customDestinations-ms' and '.automaticDestinations-ms' files
- Raw image files: '.001', '.raw','.dd', '.img', '.ima' *via the 'Open File' dialog* - *(carves and shows .lnk files and their offsets)*
- Current User (HKCU) keys which contain Shellink items:
- 'Software\Microsoft\Windows\Shell\BagMRU'
- 'Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\':
- 'OpenSavePidlMRU'
- 'LastVisitedPidlMRU'
- 'LastVisitedPidlMRULegacy'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\TWinUI\FilePicker\LastVisitedPidlMRU'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\Streams'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery'
- 'Software\Microsoft\Windows\CurrentVersion\Search'
- 'JumplistData' &
- 'RecentApps'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband':
- Favorites'
- 'FavoritesResolve'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2':
- 'Favorites'
- 'FavoritesResolve'
- 'ProgramsCache'
- 'ProgramsCacheSMP'
- 'ProgramsCacheTBP'
- 'Software\Microsoft\Windows\CurrentVersion\Lock Screen' *(Lock screen background image(s))*

___________________________________________
Features:
- Shows the [64-bit file size *(when a target file size is greater than 4Gb (0xFFFFFFFF))*](https://github.com/kacos2000/Jumplist-Browser/releases/tag/v.0.0.37.0)

*(DWORD nFileSizeHigh + DWORD nFileSizeLow)*
- Shows [Reparse Point Tags](https://github.com/kacos2000/Jumplist-Browser/releases/tag/v.0.0.33.0) & their description
- Shows customDestinations ['CustomCategory' titles](https://github.com/kacos2000/Jumplist-Browser/assets/11378310/0c1f9909-59ce-4330-b036-a21d995a1406)
- Shows Pin Entry *(item order)* number of pinned items in automaticDestinations-ms
- Shows Quick Access position *(item order)* in automaticDestinations-ms
- Supports the 'DestListPropertyStore' stream in automaticDestinations-ms
- Supports PropertyStore extensions in automaticDestinations-ms 'DestList' stream entries
- Shows Serialized Property descriptions for most [FormatID/PropertyID combinations](https://github.com/kacos2000/Jumplist-Browser/blob/master/FormatID-Descriptions.csv)
- Shows the [Application name](https://github.com/kacos2000/Jumplist-Browser/blob/master/AppIdlist.csv) for known [CRC64 hashes](https://www.hexacorn.com/blog/2013/04/30/jumplists-file-names-and-appid-calculator/) in Destinations-ms files
- Resolves CLSIDs, [SID](https://github.com/kacos2000/Jumplist-Browser/releases/tag/v.1.0.3.0)s, File Attribute & SFGAO flags, Stock Icon IDs, [MAC address/manufacturer](https://github.com/kacos2000/Jumplist-Browser/releases/tag/v.1.0.5.0) etc
- [Single executable *(x64)*](https://github.com/kacos2000/Jumplist-Browser/releases/latest) => can be used with [Arsenal Image Mounter](https://arsenalrecon.com/products/arsenal-image-mounter) & [Virtual machines](https://github.com/kacos2000/Jumplist-Browser/assets/11378310/5371c027-3155-4d81-9d32-b7035ea510fa)
- Can [export to .JSON](https://github.com/kacos2000/Jumplist-Browser/releases/tag/v.0.0.52.0)

___________________________________________
Sample screenshots:







---------------------------------------------------------------------------------------------------------------

### [TIP]:
In **'automaticDestinations-ms'** files, with the exception of *Windows Control Panel*, *Windows Explorer* and *Quick Access*,
entries usually include a 'Hint' on which Application they are related to.
These 'hints' are seen in the last IDlist entry (type [32] *(File)*):

either indirectly:

MPC-HC *(Media Player Classic - Home Cinema)*:



MS Excel:



Edge Browser:



*(the "**AppX**d4nrz8ff68srnhf9t5a8sbjyar1cr723" type entries can be looked up in:

'HKLM::Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs')*

or Directly:

Windows Wordpad:



Modern CSV:



Maël Hörz's [HxD Hex Editor](https://mh-nexus.de/en/hxd/)


___________________________________________
References:
- [Shell Link (.LNK) Binary File Format](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/a6c2f32d-2297-4727-bcd3-5d3669573bcb)

*The most important component of a link target namespace is a link target in the form of an item ID list (IDList)*
- [Serialized Property Store](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-propstore/3453fb82-0e4f-4c2c-bc04-64b4bd2c51ec)
- [Shell Namespace](https://learn.microsoft.com/en-us/windows/win32/shell/namespace-intro?redirectedfrom=MSDN)
- [Windows Data Types](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/cca27429-5689-4a16-b2b4-9325d93e4ba2)
- [LnkSearchMachine](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dltw/6cbc37d6-c74a-4078-8030-19d4de1807bf)

*FileLocation: A VolumeID with an appended ObjectID, which together represent the location of a file at some point in time, though the file might no longer be there. FileLocation values are stored in droid (CDomainRelativeObjId) data structures.*

---------------------------------------------------------------------------------------------------------------
- **Note:** *Uses the following Libraries:*
- [ShellLink .NET Class Library](https://github.com/securifybv/ShellLink) and
- [PropertyStore .NET Class Library](https://github.com/securifybv/PropertyStore)