Windows 10 and Jump...
 
Notifications
Clear all

Windows 10 and Jump Lists  

  RSS
ssenyl
(@ssenyl)
Junior Member

You may know that Jump Lists are a pet favourite of mine…or perhaps not…but in either case I just wanted to share that I am in the process of looking at the Tech Preview of Windows 10 and have noticed that the 'DestList' element within the (AutomaticDestinations) Jump List for Windows Explorer has a slightly different structure to those present in Windows 7 and Windows 8.

I plan to try and figure out what the differences are and will gladly share what I find.

Quote
Posted : 06/01/2015 9:28 pm
keydet89
(@keydet89)
Community Legend

What makes you say that there's a difference?

ReplyQuote
Posted : 21/01/2015 7:41 am
Bulldawg
(@bulldawg)
Active Member

Great, thanks. I've been running Windows 10 preview for a while, but haven't torn into it yet because I assume so much will change between now and release. Never a bad thing to acquire more information, however.

ReplyQuote
Posted : 21/01/2015 10:02 pm
keydet89
(@keydet89)
Community Legend

Generally, not a great deal changes with respect to forensic artifacts. In some cases, such as Win7 -> Win8, some new ones were added, but not many changed, per se.

ReplyQuote
Posted : 22/01/2015 5:11 am
keydet89
(@keydet89)
Community Legend

Hhhmm…still nothing from the OP…

ReplyQuote
Posted : 24/01/2015 5:36 pm
ssenyl
(@ssenyl)
Junior Member

Sorry for the delayed response, Harlan.

I decided to have a look at Windows 10, just to see if there was anything major that leapt out at me that could prove useful in the whole 'Find Evidence' saga that we all go through.

I decided to start with Jump Lists purely because of my previous work (I did the same with Windows 8 but found no changes that time).

I am still working on it, but there are definitely some changes in the structure of the DestList element inside the AutomaticDestinations Jump Lists.

They are still Compound Binary files and the individual entries appear to still be structured as per the Shortcut (link) file spec.

The 'access counter' is in a different position, and the first four bytes are now '0x02 0x00 0x00 0x00' (as opposed to 0x01 0x00 0x00 0x00). So that blows my theory from my previous work out of the water that the first four bytes were the Entry Id for the first entry. Considering that there was no change to the format in Windows 8, I am now going with the thought that the first four bytes are a version number.

Once I have finished taking it apart, I will gladly share what I find.

ReplyQuote
Posted : 26/01/2015 9:28 pm
ssenyl
(@ssenyl)
Junior Member

Hi all,

I haven't really had a great deal of time to spare recently, but just as a bit of a follow up from my previous posts, these are the changes that I have seen to the structure of the DestList element within Windows 10 JumpLists

HEADER
Offset Description
0 - 3 Appears to start at 2. Maybe this is a version number and not first entry ID as I previously wrote with regards Windows 7?
4 - 7 Total number of current entries in list
8 - 11 Total Number of pinned entries
12 - 15 Counter? In a series of tests with Notepad this was all 0x00. In File explorer immediately after install 0xAE 0xC7 0x96 0x42 ( as float = 75.39)
16 - 23 Last issued Entry ID number
24 - 31 NYK. In a notepad test, 3 were files opened but value is 0x06. After 6 files opened value = 0C (12). Seems to be double the number of files in the list. Also increments as entries are pinned, deleted and opened
ENTRIES
0 - 7 A checksum or hash of the entry. Not known what type
8 - 23 New Volume ID
24 - 39 Object ID
40 - 55 Birth Volume ID
56 - 71 Object ID
72 - 87 NetBIOS name padded with zeros to max length 16
88 - 91 Entry ID Number
92 - 99 NYK. In notepad test 0x00
100 - 107 MSFILETIME of last recorded access
108 - 111 Entry 'pin' status '0xFF 0xFF 0xFF 0xFF' = Unpinned. Otherwise a counter starting at '0x00 0x00 0x00 0x00'.
112 - 115 NYK. In notepad test and file explorer '0xFF 0xFF 0xFF 0xFF'
116 - 119 NYK. In notepad test and file explorer '0x01 0x00 0x00 0x00'. Access count? Changed to 0x02 when TEST_1 and TEST_5 opened for second time. Consistenly increments as files re-opened. Seems to be a counter
120 - 127 NYK. In notepad test and file explorer 0x00
128 - 129 Length of Unicode entry string data
130 - Entry string data. FOLLOWED BY 0x00 0x00 0x00 0x00

For the sake of comparison, here is the structure I reported for Windows 7

HEADER
Offset Description
0 - 3 First Issued Entry ID. Appears to always start at 1
4 - 7 Total number of current entries in list
8 - 11 Total Number of pinned entries
12 - 15 Floating Point value. Some kind of counter. Initial value is 0x00 0x00 0x80 0x3F (=1) (For Windows Explorer 0x66 -x66 0x76 0x41(=15.4)). Increments as new entries are added. Removing an entry from the Jump List causes the value to decrement.
16 - 23 Last issued Entry ID number
24 - 31 Number of Add/Delete actions
ENTRIES
0 - 7 A checksum or hash of the entry. Not known what type
8 - 23 New Volume ID
24 - 39 Object ID
40 - 55 Birth Volume ID
56 - 71 Object ID
72 - 87 NetBIOS name padded with zeros to max length 16
88 - 95 Entry ID number
96 - 99 Floating point counter to record each time the file is accessed (not necessarily opened).
100 - 107 MSFILETIME of last recorded access
108 - 111 Entry 'pin' status '0xFF 0xFF 0xFF 0xFF' = Unpinned. Otherwise a counter starting at '0x00 0x00 0x00 0x00'.
112 -113 Length of Unicode entry string data
114 - Entry String data

I will say that I have not had much chance to perform any further tests and the VM I set up with the Technical Preview ISO is in VMware Workstation 10 (which doesn't technically support Windows 10, but I was able to get a running VM when I installed it as Windows 8 ) So perhaps all this is nonsense and the structure hasn't changed at all!

When (or if) I get the chance to get my hands on a full version of Windows 10 I do plan to verify what I have found.

Appreciate any feedback/comments, but please be gentle…I've had a rough couple of months )

ReplyQuote
Posted : 11/04/2015 3:01 am
topin89
(@topin89)
New Member

For Windows 10 Entries at least offset 120 may be hide flag.

When I choose "Remove from Quick Access" in Quick Access Recent Files in Explorer for a file, offset 120 for that file became 0x01 in 5f7b5f1e01b83767.automaticDestinations-ms.

When I manually changed this byte to 0x01 for another files in, said file disappeared from Quick Access Recent Files in Explorer.

ReplyQuote
Posted : 22/12/2018 6:54 pm
Share: