Analyzing LNK File and Jump List Artifacts

Overview

Windows LNK (shortcut) files and Jump Lists are critical forensic artifacts that provide evidence of file access, program execution, and user behavior. LNK files are created automatically when a user opens a file through Windows Explorer or the Open/Save dialog, storing metadata about the target file including its original path, timestamps, volume serial number, NetBIOS name, and MAC address of the host system. Jump Lists, introduced in Windows 7, extend this by maintaining per-application lists of recently and frequently accessed files. These artifacts persist even after the target files are deleted, making them invaluable for establishing that a user accessed specific files at specific times.

When to Use

When investigating security incidents that require analyzing lnk file and jump list artifacts
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

LECmd (Eric Zimmerman) for LNK file parsing
JLECmd (Eric Zimmerman) for Jump List parsing
Python 3.8+ with pylnk3 or LnkParse3 libraries
Forensic image or triage collection from Windows system
Timeline Explorer for CSV analysis

LNK File Locations

| Location | Description | |----------|-------------| | %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\ | Recent files accessed | | %USERPROFILE%\Desktop\ | User-created shortcuts | | %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\ | Start Menu shortcuts | | %USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent\ | Office recent documents |

LNK File Structure

Shell Link Header (76 bytes)

| Offset | Size | Field | |--------|------|-------| | 0x00 | 4 | HeaderSize (always 0x0000004C) | | 0x04 | 16 | LinkCLSID (always 00021401-0000-0000-C000-000000000046) | | 0x14 | 4 | LinkFlags | | 0x18 | 4 | FileAttributes | | 0x1C | 8 | CreationTime (FILETIME) | | 0x24 | 8 | AccessTime (FILETIME) | | 0x2C | 8 | WriteTime (FILETIME) | | 0x34 | 4 | FileSize of target | | 0x38 | 4 | IconIndex | | 0x3C | 4 | ShowCommand | | 0x40 | 2 | HotKey |

Key Forensic Fields in LNK Files

Target file timestamps: Creation, access, modification times of the referenced file
Volume information: Serial number, drive type, volume label
Network share information: UNC path, share name
Machine identifiers: NetBIOS name, MAC address (from TrackerDataBlock)
Distributed Link Tracking: Machine ID and object GUID

Analysis with EZ Tools

LECmd - LNK File Parser

# Parse all LNK files in Recent folder
LECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent" --csv C:\Output --csvf lnk_analysis.csv

# Parse a single LNK file with full details
LECmd.exe -f "C:\Evidence\Users\suspect\Desktop\Confidential.docx.lnk" --json C:\Output

# Parse LNK files with additional detail levels
LECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent" --csv C:\Output --csvf lnk_all.csv --all

JLECmd - Jump List Parser

# Parse Automatic Jump Lists
JLECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv C:\Output --csvf jumplists_auto.csv

# Parse Custom Jump Lists
JLECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations" --csv C:\Output --csvf jumplists_custom.csv

# Parse all jump lists with detailed output
JLECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv C:\Output --csvf jumplists_auto.csv --ld

Jump List Structure

Automatic Destinations (automaticDestinations-ms)

These are OLE Compound files (Structured Storage) identified by AppID hash in the filename:

| AppID Hash | Application | |-----------|-------------| | 5f7b5f1e01b83767 | Windows Explorer Pinned/Frequent | | 1b4dd67f29cb1962 | Windows Explorer Recent | | 9b9cdc69c1c24e2b | Notepad | | a7bd71699cd38d1c | Notepad++ | | 12dc1ea8e34b5a6 | Microsoft Paint | | 7e4dca80246863e3 | Control Panel | | 1cf97c38a5881255 | Microsoft Edge | | f01b4d95cf55d32a | Windows Explorer | | 9d1f905ce5044aee | Microsoft Excel | | a4a5324453625195 | Microsoft Word | | d00655d2aa12ff6d | Microsoft PowerPoint | | bc03160ee1a59fc1 | Outlook |

Custom Destinations (customDestinations-ms)

Created when users pin items to application jump lists. These files contain sequential LNK entries.

Python Analysis Script

import struct
import os
from datetime import datetime, timedelta

FILETIME_EPOCH = datetime(1601, 1, 1)

def filetime_to_datetime(filetime_bytes: bytes) -> datetime:
    """Convert Windows FILETIME (100-ns intervals since 1601) to datetime."""
    ft = struct.unpack("<Q", filetime_bytes)[0]
    if ft == 0:
        return None
    return FILETIME_EPOCH + timedelta(microseconds=ft // 10)

def parse_lnk_header(lnk_path: str) -> dict:
    """Parse the Shell Link header from an LNK file."""
    with open(lnk_path, "rb") as f:
        header = f.read(76)

    header_size = struct.unpack("<I", header[0:4])[0]
    if header_size != 0x4C:
        return {"error": "Invalid LNK header"}

    link_flags = struct.unpack("<I", header[0x14:0x18])[0]
    file_attrs = struct.unpack("<I", header[0x18:0x1C])[0]

    result = {
        "header_size": header_size,
        "link_flags": hex(link_flags),
        "file_attributes": hex(file_attrs),
        "creation_time": filetime_to_datetime(header[0x1C:0x24]),
        "access_time": filetime_to_datetime(header[0x24:0x2C]),
        "write_time": filetime_to_datetime(header[0x2C:0x34]),
        "file_size": struct.unpack("<I", header[0x34:0x38])[0],
        "has_target_id_list": bool(link_flags & 0x01),
        "has_link_info": bool(link_flags & 0x02),
        "has_name": bool(link_flags & 0x04),
        "has_relative_path": bool(link_flags & 0x08),
        "has_working_dir": bool(link_flags & 0x10),
        "has_arguments": bool(link_flags & 0x20),
        "has_icon_location": bool(link_flags & 0x40),
    }
    return result

Investigation Use Cases

Evidence of File Access

Parse LNK files from Recent folder to identify accessed documents
Cross-reference with MFT timestamps and USN Journal entries
Note that LNK files persist even after target files are deleted

Removable Media Access

LNK files referencing drive letters E:, F:, G: indicate removable media usage
Volume serial number in LNK identifies the specific device
MAC address in TrackerDataBlock identifies the source machine

Network Share Activity

LNK files with UNC paths (\server\share) indicate network file access
NetBIOS name identifies the remote server
Timestamps establish when access occurred

Differences Between Windows 10 and Windows 11

Recent research (IEEE 2025) shows that Windows 11 produces different LNK and Jump List artifacts:

Fewer automatic LNK files generated for certain file types
Modified Jump List behavior for modern applications
UWP/MSIX applications may not generate traditional Jump Lists
Windows 11 Quick Access replaces some Recent functionality

References

Shell Link Binary File Format: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/
Magnet Forensics LNK Analysis: https://www.magnetforensics.com/blog/forensic-analysis-of-lnk-files/
Jump Lists Forensics 2025: https://www.cybertriage.com/blog/jump-list-forensics-2025/
Eric Zimmerman's LECmd/JLECmd: https://ericzimmerman.github.io/

Example Output

$ LECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent" --csv /analysis/lnk_output

LECmd v1.11.0 - LNK File Parser
================================

Processing 47 LNK files...

--- LNK File: Q4_Report.xlsx.lnk ---
  Source:           C:\Evidence\Users\jsmith\Recent\Q4_Report.xlsx.lnk
  Target Path:      C:\Users\jsmith\Downloads\Q4_Report.xlsm
  Target Created:   2024-01-15 14:33:45 UTC
  Target Modified:  2024-01-15 14:33:45 UTC
  Target Accessed:  2024-01-15 14:35:12 UTC
  File Size:        251,904 bytes
  Drive Type:       Fixed (C:)
  Volume Serial:    A4E7-3F21
  Machine ID:       DESKTOP-J5M1TH
  MAC Address:      48:2A:E3:5C:9B:01

--- LNK File: update_client.exe.lnk ---
  Source:           C:\Evidence\Users\jsmith\Recent\update_client.exe.lnk
  Target Path:      C:\ProgramData\Updates\update_client.exe
  Target Created:   2024-01-15 14:34:02 UTC
  Target Modified:  2024-01-15 14:34:02 UTC
  Target Accessed:  2024-01-15 14:36:30 UTC
  File Size:        1,258,496 bytes
  Drive Type:       Fixed (C:)
  Volume Serial:    A4E7-3F21
  Machine ID:       DESKTOP-J5M1TH
  Working Dir:      C:\ProgramData\Updates
  Arguments:        --silent --no-update-check
  Run Window:       Hidden

======================================================================

$ JLECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv /analysis/jumplist_output

JLECmd v1.5.0 - Jump List Parser
==================================

Processing 23 AutomaticDestinations files...

--- Application: Microsoft Excel (AppID: 12dc1ea8e34b5a6) ---
  Entries: 15
  Most Recent:
    Entry 0:  C:\Users\jsmith\Downloads\Q4_Report.xlsm         (2024-01-15 14:35:12 UTC)
    Entry 1:  \\FILESERV01\Finance\Budget_2024.xlsx             (2024-01-14 09:22:30 UTC)
    Entry 2:  C:\Users\jsmith\Documents\Expenses\Dec2023.xlsx   (2024-01-10 16:45:00 UTC)

--- Application: Windows Explorer (AppID: f01b4d95cf55d32a) ---
  Entries: 28
  Most Recent:
    Entry 0:  C:\ProgramData\Updates\                           (2024-01-15 14:36:25 UTC)
    Entry 1:  E:\Backup\                                        (2024-01-15 15:30:00 UTC)
    Entry 2:  \\FILESERV01\HR\Employees\                        (2024-01-15 16:12:45 UTC)

--- Application: cmd.exe (AppID: 9b9cdc69c1c24e2b) ---
  Entries: 5
  Most Recent:
    Entry 0:  C:\Windows\System32\cmd.exe                       (2024-01-15 14:36:00 UTC)

Summary:
  Total LNK files processed:    47
  Total Jump List entries:       156
  Suspicious artifacts:          3 (hidden window execution, USB drive access, network shares)
  CSV exported to:               /analysis/lnk_output/ and /analysis/jumplist_output/

Analyzing LNK File and Jump List Artifacts

Overview

When to Use

When investigating security incidents that require analyzing lnk file and jump list artifacts
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

LECmd (Eric Zimmerman) for LNK file parsing
JLECmd (Eric Zimmerman) for Jump List parsing
Python 3.8+ with pylnk3 or LnkParse3 libraries
Forensic image or triage collection from Windows system
Timeline Explorer for CSV analysis

LNK File Locations

LNK File Structure

Shell Link Header (76 bytes)

Key Forensic Fields in LNK Files

Target file timestamps: Creation, access, modification times of the referenced file
Volume information: Serial number, drive type, volume label
Network share information: UNC path, share name
Machine identifiers: NetBIOS name, MAC address (from TrackerDataBlock)
Distributed Link Tracking: Machine ID and object GUID

Analysis with EZ Tools

LECmd - LNK File Parser

# Parse all LNK files in Recent folder
LECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent" --csv C:\Output --csvf lnk_analysis.csv

# Parse a single LNK file with full details
LECmd.exe -f "C:\Evidence\Users\suspect\Desktop\Confidential.docx.lnk" --json C:\Output

# Parse LNK files with additional detail levels
LECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent" --csv C:\Output --csvf lnk_all.csv --all

JLECmd - Jump List Parser

# Parse Automatic Jump Lists
JLECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv C:\Output --csvf jumplists_auto.csv

# Parse Custom Jump Lists
JLECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations" --csv C:\Output --csvf jumplists_custom.csv

# Parse all jump lists with detailed output
JLECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv C:\Output --csvf jumplists_auto.csv --ld

Jump List Structure

Automatic Destinations (automaticDestinations-ms)

These are OLE Compound files (Structured Storage) identified by AppID hash in the filename:

Custom Destinations (customDestinations-ms)

Created when users pin items to application jump lists. These files contain sequential LNK entries.

Python Analysis Script

import struct
import os
from datetime import datetime, timedelta

FILETIME_EPOCH = datetime(1601, 1, 1)

def filetime_to_datetime(filetime_bytes: bytes) -> datetime:
    """Convert Windows FILETIME (100-ns intervals since 1601) to datetime."""
    ft = struct.unpack("<Q", filetime_bytes)[0]
    if ft == 0:
        return None
    return FILETIME_EPOCH + timedelta(microseconds=ft // 10)

def parse_lnk_header(lnk_path: str) -> dict:
    """Parse the Shell Link header from an LNK file."""
    with open(lnk_path, "rb") as f:
        header = f.read(76)

    header_size = struct.unpack("<I", header[0:4])[0]
    if header_size != 0x4C:
        return {"error": "Invalid LNK header"}

    link_flags = struct.unpack("<I", header[0x14:0x18])[0]
    file_attrs = struct.unpack("<I", header[0x18:0x1C])[0]

    result = {
        "header_size": header_size,
        "link_flags": hex(link_flags),
        "file_attributes": hex(file_attrs),
        "creation_time": filetime_to_datetime(header[0x1C:0x24]),
        "access_time": filetime_to_datetime(header[0x24:0x2C]),
        "write_time": filetime_to_datetime(header[0x2C:0x34]),
        "file_size": struct.unpack("<I", header[0x34:0x38])[0],
        "has_target_id_list": bool(link_flags & 0x01),
        "has_link_info": bool(link_flags & 0x02),
        "has_name": bool(link_flags & 0x04),
        "has_relative_path": bool(link_flags & 0x08),
        "has_working_dir": bool(link_flags & 0x10),
        "has_arguments": bool(link_flags & 0x20),
        "has_icon_location": bool(link_flags & 0x40),
    }
    return result

Investigation Use Cases

Evidence of File Access

Parse LNK files from Recent folder to identify accessed documents
Cross-reference with MFT timestamps and USN Journal entries
Note that LNK files persist even after target files are deleted

Removable Media Access

LNK files referencing drive letters E:, F:, G: indicate removable media usage
Volume serial number in LNK identifies the specific device
MAC address in TrackerDataBlock identifies the source machine

Network Share Activity

LNK files with UNC paths (\server\share) indicate network file access
NetBIOS name identifies the remote server
Timestamps establish when access occurred

Differences Between Windows 10 and Windows 11

Recent research (IEEE 2025) shows that Windows 11 produces different LNK and Jump List artifacts:

Fewer automatic LNK files generated for certain file types
Modified Jump List behavior for modern applications
UWP/MSIX applications may not generate traditional Jump Lists
Windows 11 Quick Access replaces some Recent functionality

References

Shell Link Binary File Format: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/
Magnet Forensics LNK Analysis: https://www.magnetforensics.com/blog/forensic-analysis-of-lnk-files/
Jump Lists Forensics 2025: https://www.cybertriage.com/blog/jump-list-forensics-2025/
Eric Zimmerman's LECmd/JLECmd: https://ericzimmerman.github.io/

Example Output

$ LECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent" --csv /analysis/lnk_output

LECmd v1.11.0 - LNK File Parser
================================

Processing 47 LNK files...

--- LNK File: Q4_Report.xlsx.lnk ---
  Source:           C:\Evidence\Users\jsmith\Recent\Q4_Report.xlsx.lnk
  Target Path:      C:\Users\jsmith\Downloads\Q4_Report.xlsm
  Target Created:   2024-01-15 14:33:45 UTC
  Target Modified:  2024-01-15 14:33:45 UTC
  Target Accessed:  2024-01-15 14:35:12 UTC
  File Size:        251,904 bytes
  Drive Type:       Fixed (C:)
  Volume Serial:    A4E7-3F21
  Machine ID:       DESKTOP-J5M1TH
  MAC Address:      48:2A:E3:5C:9B:01

--- LNK File: update_client.exe.lnk ---
  Source:           C:\Evidence\Users\jsmith\Recent\update_client.exe.lnk
  Target Path:      C:\ProgramData\Updates\update_client.exe
  Target Created:   2024-01-15 14:34:02 UTC
  Target Modified:  2024-01-15 14:34:02 UTC
  Target Accessed:  2024-01-15 14:36:30 UTC
  File Size:        1,258,496 bytes
  Drive Type:       Fixed (C:)
  Volume Serial:    A4E7-3F21
  Machine ID:       DESKTOP-J5M1TH
  Working Dir:      C:\ProgramData\Updates
  Arguments:        --silent --no-update-check
  Run Window:       Hidden

======================================================================

$ JLECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv /analysis/jumplist_output

JLECmd v1.5.0 - Jump List Parser
==================================

Processing 23 AutomaticDestinations files...

--- Application: Microsoft Excel (AppID: 12dc1ea8e34b5a6) ---
  Entries: 15
  Most Recent:
    Entry 0:  C:\Users\jsmith\Downloads\Q4_Report.xlsm         (2024-01-15 14:35:12 UTC)
    Entry 1:  \\FILESERV01\Finance\Budget_2024.xlsx             (2024-01-14 09:22:30 UTC)
    Entry 2:  C:\Users\jsmith\Documents\Expenses\Dec2023.xlsx   (2024-01-10 16:45:00 UTC)

--- Application: Windows Explorer (AppID: f01b4d95cf55d32a) ---
  Entries: 28
  Most Recent:
    Entry 0:  C:\ProgramData\Updates\                           (2024-01-15 14:36:25 UTC)
    Entry 1:  E:\Backup\                                        (2024-01-15 15:30:00 UTC)
    Entry 2:  \\FILESERV01\HR\Employees\                        (2024-01-15 16:12:45 UTC)

--- Application: cmd.exe (AppID: 9b9cdc69c1c24e2b) ---
  Entries: 5
  Most Recent:
    Entry 0:  C:\Windows\System32\cmd.exe                       (2024-01-15 14:36:00 UTC)

Summary:
  Total LNK files processed:    47
  Total Jump List entries:       156
  Suspicious artifacts:          3 (hidden window execution, USB drive access, network shares)
  CSV exported to:               /analysis/lnk_output/ and /analysis/jumplist_output/

Adoption

seikaikyo/analyzing-lnk-file-and-jump-list-artifacts

$ install --global

Security Scan Results

SKILL.md

Analyzing LNK File and Jump List Artifacts

Overview

When to Use

Prerequisites

LNK File Locations

LNK File Structure

Shell Link Header (76 bytes)

Key Forensic Fields in LNK Files

Analysis with EZ Tools

LECmd - LNK File Parser

JLECmd - Jump List Parser

Jump List Structure

Automatic Destinations (automaticDestinations-ms)

Custom Destinations (customDestinations-ms)

Python Analysis Script

Investigation Use Cases

Evidence of File Access

Removable Media Access

Network Share Activity

Differences Between Windows 10 and Windows 11

References

Example Output

Related Skills

seikaikyo/implementing-zero-knowledge-proof-for-authentication

seikaikyo/implementing-web-application-logging-with-modsecurity

seikaikyo/implementing-vulnerability-sla-breach-alerting

seikaikyo/implementing-vulnerability-remediation-sla

seikaikyo/analyzing-lnk-file-and-jump-list-artifacts

$ install --global

Security Scan Results

SKILL.md

Analyzing LNK File and Jump List Artifacts

Overview

When to Use

Prerequisites

LNK File Locations

LNK File Structure

Shell Link Header (76 bytes)

Key Forensic Fields in LNK Files

Analysis with EZ Tools

LECmd - LNK File Parser

JLECmd - Jump List Parser

Jump List Structure

Automatic Destinations (automaticDestinations-ms)

Custom Destinations (customDestinations-ms)

Python Analysis Script

Investigation Use Cases

Evidence of File Access

Removable Media Access

Network Share Activity

Differences Between Windows 10 and Windows 11

References

Example Output

Related Skills

seikaikyo/implementing-zero-knowledge-proof-for-authentication

seikaikyo/implementing-web-application-logging-with-modsecurity

seikaikyo/implementing-vulnerability-sla-breach-alerting

seikaikyo/implementing-vulnerability-remediation-sla