Introducing JLECmd! (by Eric Zimmerman)ģ. Jump Lists In Depth (by Eric Zimmerman)Ģ. The AppID master list is a work in progress and will likely be updated occasionally throughout its life cycle.ġ. You have more information to work with now. Obviously, this is a very simple example, but you get the idea. dwg drawing files), you might be able to conclude that the jumplist belongs to an AutoCAD-related program. automaticDestinations-ms file that has an unknown AppID and you see that the LNK files contained within it all point to a specific file type (say, AutoCAD.
So, for example, if you have a jump list.
Note that with the release of Eric Zimmerman's JLECmd (Jump List Explorer Command Line), an investigator can gain better insight into the applications for which the jump list files were generated.Īs Eric explains in his Jump Lists In-Depth post, jump lists are (more or less) collections of LNK files. With that, you can find the AppID master list at the bottom of this post: If you want to learn more about how the AppID is actually generated, I highly recommend that you read through Hexacorn's blog post here. This is because when the newer version is installed (and then run), it is doing so from the same location as the old version was, which causes the AppID to remain the same among different versions. If we take a look at a more recent version (12.3.2.35), we can see that the AppID has remained the same. As an example, if we take a look at iTunes, we'll see that iTunes 9.0.0.70 has an AppID of 83b03b46dcd30a0e I tested and verified that in 2011. This essentially means that the AppID will stay the same. Many of these applications retain their default installation location as they are updated to new versions. In the AppID list, you will notice a few entries containing multiple versions of applications. with 9b9cdc69c1c24e2b being the AppID for 64-bit Notepad. In this case, that file is named:Ĭ:\Users\4n6k\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\ tomaticDestinations-ms automaticDestinations-ms files are generated are:īoth of these methods will show you the application's jump list, thereby generating/modifying the application's. Either way, you need to have some kind of starting information to come back with an answer.Īs we already know, two ways in which the. automaticDestinations-ms files or (b) know the executable's absolute path and use Hexacorn's AppID Calculator.
And, at this point in the game, the only way to know that is to either (a) manually generate the. The catch is that you need to know which AppIDs will be generated for certain applications. Jump lists provide additional avenues in determining which applications were run on the system, the paths from which they were run, and the files recently used by them.
AppID) that will be included in the name of the. With that, I've recently added over 100 more unique application AppIDs and combined them into one list.Īs a refresher, each application (depending on the executable's path and filename) will have a unique Application ID (i.e. The AppID lists I created in 2011 have been useful to me in the past, so I decided to expand them.
#Mozbackup 1.5.2 beta 1 windows#
These two posts covered jump list basics and focused mainly on how each application that is run on a Windows machine has the potential to generate a % uniqueAppID%.automaticDestinations-ms file in the C:\Users\% user%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\ directory. TL DR: The list of 400+ manually generated Jump List application IDs can be found at the bottom of this post.Ībout 5 years ago, I wrote two blog posts related to Windows Jump Lists.