Automatic/Custom Destinations & LNK (ShellLNK) Browser
==> Latest version <==
Dependencies:
- Operating system: Microsoft Windows 10+ 64 Bit
- .NET Framework 4.8
- Powershell Version: 5.1
Supports:
- Link: (.lnk) shortcut files
- Frequent Places Lists: '.customDestinations-ms' and '.automaticDestinations-ms' files
- Raw image files: '.001', '.raw','.dd', '.img', '.ima' via the 'Open File' dialog - (carves and shows .lnk files and their offsets)
- Current User (HKCU) keys which contain Shellink items:
- 'Software\Microsoft\Windows\Shell\BagMRU'
- 'Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32':
- 'OpenSavePidlMRU'
- 'LastVisitedPidlMRU'
- 'LastVisitedPidlMRULegacy'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\TWinUI\FilePicker\LastVisitedPidlMRU'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\Streams'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery'
- 'Software\Microsoft\Windows\CurrentVersion\Search'
- 'JumplistData' &
- 'RecentApps'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband':
- Favorites'
- 'FavoritesResolve'
- 'Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2':
- 'Favorites'
- 'FavoritesResolve'
- 'ProgramsCache'
- 'ProgramsCacheSMP'
- 'ProgramsCacheTBP'
- 'Software\Microsoft\Windows\CurrentVersion\Lock Screen' (Lock screen background image(s))
Features:
- Shows the 64-bit file size (when a target file size is greater than 4Gb (0xFFFFFFFF))
(DWORD nFileSizeHigh + DWORD nFileSizeLow) - Shows Reparse Point Tags & their description
- Shows customDestinations 'CustomCategory' titles
- Shows Pin Entry (item order) number of pinned items in automaticDestinations-ms
- Shows Quick Access position (item order) in automaticDestinations-ms
- Supports the 'DestListPropertyStore' stream in automaticDestinations-ms
- Supports PropertyStore extensions in automaticDestinations-ms 'DestList' stream entries
- Shows Serialized Property descriptions for most FormatID/PropertyID combinations
- Shows the Application name for known CRC64 hashes in Destinations-ms files
- Resolves CLSIDs, SIDs, File Attribute & SFGAO flags, Stock Icon IDs, MAC address/manufacturer etc
- Single executable (x64) => can be used with Arsenal Image Mounter & Virtual machines
- Can export to .JSON
Sample screenshots:
In 'automaticDestinations-ms' files, with the exception of Windows Control Panel, Windows Explorer and Quick Access, entries usually include a 'Hint' on which Application they are related to. These 'hints' are seen in the last IDlist entry (type [32] (File)):
either indirectly:
MPC-HC (Media Player Classic - Home Cinema):
MS Excel:
Edge Browser:
(the "AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723" type entries can be looked up in:
'HKLM::Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs')
or Directly:
Windows Wordpad:
Modern CSV:
Maël Hörz's HxD Hex Editor
References:
- Shell Link (.LNK) Binary File Format
The most important component of a link target namespace is a link target in the form of an item ID list (IDList) - Serialized Property Store
- Shell Namespace
- Windows Data Types
- LnkSearchMachine
FileLocation: A VolumeID with an appended ObjectID, which together represent the location of a file at some point in time, though the file might no longer be there. FileLocation values are stored in droid (CDomainRelativeObjId) data structures.
- Note: Uses the following Libraries: