Awesome
Jumplist-Browser
Automatic/Custom Destinations & LNK (ShellLNK) Browser
==> Latest version <==
Dependencies:
- Operating system: Microsoft Windows 10+ 64 Bit
- .NET Framework 4.8
- Powershell Version: 5.1
Supports:
- Link: (.lnk) shortcut files
- Frequent Places Lists: '.customDestinations-ms' and '.automaticDestinations-ms' files
- Raw image files: '.001', '.raw','.dd', '.img', '.ima' via the 'Open File' dialog - (carves and shows .lnk files and their offsets)
- Current User (HKCU) keys which contain Shellink items:
- 'Software\Microsoft\Windows\Shell\BagMRU'
- 'Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32':
- 'OpenSavePidlMRU'
- 'LastVisitedPidlMRU'
- 'LastVisitedPidlMRULegacy'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\TWinUI\FilePicker\LastVisitedPidlMRU'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\Streams'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery'
- 'Software\Microsoft\Windows\CurrentVersion\Search'
- 'JumplistData' &
- 'RecentApps'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband':
- Favorites'
- 'FavoritesResolve'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2':
- 'Favorites'
- 'FavoritesResolve'
- 'ProgramsCache'
- 'ProgramsCacheSMP'
- 'ProgramsCacheTBP'
- 'Software\Microsoft\Windows\CurrentVersion\Lock Screen' (Lock screen background image(s))
Features:
- Shows the 64-bit file size (when a target file size is greater than 4Gb (0xFFFFFFFF))<br> (DWORD nFileSizeHigh + DWORD nFileSizeLow)
- Shows Reparse Point Tags & their description
- Shows customDestinations 'CustomCategory' titles
- Shows Pin Entry (item order) number of pinned items in automaticDestinations-ms
- Shows Quick Access position (item order) in automaticDestinations-ms
- Supports the 'DestListPropertyStore' stream in automaticDestinations-ms
- Supports PropertyStore extensions in automaticDestinations-ms 'DestList' stream entries
- Shows Serialized Property descriptions for most FormatID/PropertyID combinations
- Shows the Application name for known CRC64 hashes in Destinations-ms files
- Resolves CLSIDs, SIDs, File Attribute & SFGAO flags, Stock Icon IDs, MAC address/manufacturer etc
- Single executable (x64) => can be used with Arsenal Image Mounter & Virtual machines
- Can export to .JSON
Sample screenshots:<br>
<img src="https://github.com/kacos2000/Jumplist-Browser/assets/11378310/f2f7e462-9f1c-4c07-a4d3-3ce340730905" width="600"><br>
<img src="https://github.com/kacos2000/Jumplist-Browser/assets/11378310/93336ab3-64a9-4c03-acfd-120c17327712" width="600"><br>
<img src="https://github.com/kacos2000/Jumplist-Browser/assets/11378310/afa43473-6f70-4b76-b6ce-366458c6eb17" width="500"><img src="https://github.com/kacos2000/Jumplist-Browser/assets/11378310/d3f08278-59a0-404f-a95d-bde23d2432f1" width="600"><br>
<img src="https://user-images.githubusercontent.com/11378310/220356910-0085c017-c4c1-45da-96a0-24f7be69f13f.png" width="500"><img src="https://github.com/kacos2000/Jumplist-Browser/assets/11378310/8c57f55f-1fc0-4f81-bcbf-b18207695243" width="500"><br>
<img src="https://github.com/kacos2000/Jumplist-Browser/assets/11378310/474966bd-a77b-4f9f-9775-b9f2dbb9abeb" width="500"><br>
<img src="https://user-images.githubusercontent.com/11378310/220354146-a502d9bf-3b04-454a-ae37-a41db1899c15.png" width="500"><br>
<!-- Commented out --> <!--  -->[TIP]:
In 'automaticDestinations-ms' files, with the exception of Windows Control Panel, Windows Explorer and Quick Access, entries usually include a 'Hint' on which Application they are related to. These 'hints' are seen in the last IDlist entry (type [32] (File)):
either indirectly: <br> MPC-HC (Media Player Classic - Home Cinema):<br> <img src="https://user-images.githubusercontent.com/11378310/219865398-65ceda89-8e6c-4a53-9f20-228d1fda0458.png" width="300"><br> MS Excel:<br> <img src="https://user-images.githubusercontent.com/11378310/219865245-1f6203be-08df-4499-bb70-27b13ce87ab1.png" width="300"><br> Edge Browser:<br> <img src="https://github.com/kacos2000/Jumplist-Browser/assets/11378310/d4761eeb-5b1b-4aa9-8470-f5cf692a2a34" width="500"><br> (the "AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723" type entries can be looked up in:<br> 'HKLM::Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs')
or Directly:<br> Windows Wordpad:<br> <img src="https://user-images.githubusercontent.com/11378310/219865461-223076e7-4195-4089-97e3-6a8b00baa5bd.png" width="300"><br> Modern CSV:<br> <img src="https://user-images.githubusercontent.com/11378310/219865578-234ea46d-0ac0-4fca-afaa-64a870501137.png" width="300"><br> Maël Hörz's HxD Hex Editor<br> <img src="https://user-images.githubusercontent.com/11378310/221018836-62cbc8e4-4dbf-4eda-8892-82230db48c0f.png" width="300"><br>
References:
- Shell Link (.LNK) Binary File Format<br> The most important component of a link target namespace is a link target in the form of an item ID list (IDList)
- Serialized Property Store
- Shell Namespace
- Windows Data Types
- LnkSearchMachine<br> FileLocation: A VolumeID with an appended ObjectID, which together represent the location of a file at some point in time, though the file might no longer be there. FileLocation values are stored in droid (CDomainRelativeObjId) data structures.
- Note: Uses the following Libraries: