automatic-destinations-file
Parses LNK (shortcut) entries from Windows Automatic Destinations files to retrieve recently used file records. Automatic Destinations files store the automatic entries of Jump Lists as OLE compound files on Windows 7 and later, located in the %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations directory.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
Options
zippath=STR- Path to the ZIP file. Specify this option when the target file is inside a ZIP archive.
zipcharset=STR- Character set for ZIP entry names. Default:
utf-8 codepage=STR- Windows default code page used to decode ANSI strings inside LNK files. Default:
euc-kr
Target
FILE_PATH- Path to the Automatic Destinations file. Use a wildcard (
*) to process multiple files at once. When used with thezippathoption, specify the path inside the ZIP file.
Output fields
| Field | Type | Description |
|---|---|---|
| _file | string | Name of the original Automatic Destinations file |
| app_id | string | Application name, looked up from the App ID in the file name |
| file_ctime | timestamp | Creation time of the original file |
| file_mtime | timestamp | Modification time of the original file |
| file_atime | timestamp | Access time of the original file |
| target_file_size | long | Target file size in bytes |
| target_file_attrs | array | List of target file attributes. Possible values: READONLY, HIDDEN, SYSTEM, DIRECTORY, ARCHIVE, DEVICE, NORMAL, TEMPORARY, SPARSE_FILE, REPARSE_POINT, COMPRESSED, OFFLINE, NOT_CONTENT_INDEXED, ENCRYPTED, VIRTUAL |
| target_file_ctime | timestamp | Creation time of the target file |
| target_file_mtime | timestamp | Modification time of the target file |
| target_file_atime | timestamp | Access time of the target file |
| drive_serial | long | Volume serial number |
| drive_type | string | Drive type. One of DRIVE_UNKNOWN, DRIVE_NO_ROOT_DIR, DRIVE_REMOVABLE, DRIVE_FIXED, DRIVE_REMOTE, DRIVE_CDROM, DRIVE_RAMDISK |
| volume_label | string | Volume label |
| local_path | string | Local path to the target file (ANSI) |
| local_path_unicode | string | Local path to the target file (Unicode) |
| net_name | string | Network share name |
| common_path_suffix | string | Common path suffix |
| show_window | string | Window display mode. For example: SHOW_NORMAL, SHOW_MAXIMIZED, SHOW_MINIMIZED |
| shortcut_name | string | Shortcut name |
| working_dir | string | Working directory path |
| relative_path | string | Relative path |
| cmd_args | string | Command-line arguments |
| icon_location | string | Icon location |
| hot_key | string | Keyboard shortcut combination |
Error codes
Parse errors
N/A
Runtime errors
| Error code | Message | Description | Post-action |
|---|---|---|---|
| - | cannot read automatic destinations file [FILE_PATH] | An error occurred while reading or parsing the file | Query aborted |
Description
The automatic-destinations-file command parses Windows Automatic Destinations files as OLE compound files and retrieves the LNK (shortcut) entries stored inside them. A single Automatic Destinations file can contain multiple LNK entries, and each entry is output as one record.
The command extracts the App ID from the file name and looks it up in the built-in App ID mapping table. If a match is found, the application name is assigned to the app_id field.
Examples
-
Querying a single Automatic Destinations file
automatic-destinations-file C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-msRetrieves LNK entries from the specified Automatic Destinations file.
-
Querying multiple files with a wildcard
automatic-destinations-file C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\*.automaticDestinations-msRetrieves all Automatic Destinations files in the
AutomaticDestinationsdirectory. -
Querying a file inside a ZIP archive
automatic-destinations-file zippath=D:\evidence\artifacts.zip AutomaticDestinations\*.automaticDestinations-msRetrieves Automatic Destinations files from inside a ZIP archive.
-
Querying with a specified code page
automatic-destinations-file codepage=utf-8 C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\*.automaticDestinations-msDecodes ANSI strings using the
utf-8code page. -
Filtering recently used files for a specific application
automatic-destinations-file C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\*.automaticDestinations-ms | search app_id == "Microsoft Word"Filters entries where the application name is
Microsoft Word.