custom-destinations-file
Parses LNK (shortcut) entries from Windows Custom Destinations files to retrieve user-pinned file records. Custom Destinations files store user-defined Jump List entries on Windows 7 and later, located in the %APPDATA%\Microsoft\Windows\Recent\CustomDestinations directory.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
Options
zippath=STR- Path to the ZIP file. Specify this option when the target file is inside a ZIP archive.
zipcharset=STR- Character set for ZIP entry names. Default:
utf-8 codepage=STR- Windows default code page used to decode ANSI strings inside LNK files. Default:
euc-kr
Target
FILE_PATH- Path to the Custom Destinations file. Use a wildcard (
*) to process multiple files at once. When used with thezippathoption, specify the path inside the ZIP file.
Output fields
| Field | Type | Description |
|---|---|---|
| _file | string | Name of the original Custom Destinations file |
| app_id | string | Application name, looked up from the App ID in the file name |
| file_ctime | timestamp | Creation time of the original file |
| file_mtime | timestamp | Modification time of the original file |
| file_atime | timestamp | Access time of the original file |
| target_file_size | long | Target file size in bytes |
| target_file_attrs | array | List of target file attributes. Possible values: READONLY, HIDDEN, SYSTEM, DIRECTORY, ARCHIVE, DEVICE, NORMAL, TEMPORARY, SPARSE_FILE, REPARSE_POINT, COMPRESSED, OFFLINE, NOT_CONTENT_INDEXED, ENCRYPTED, VIRTUAL |
| target_file_ctime | timestamp | Creation time of the target file |
| target_file_mtime | timestamp | Modification time of the target file |
| target_file_atime | timestamp | Access time of the target file |
| drive_serial | long | Volume serial number |
| drive_type | string | Drive type. One of DRIVE_UNKNOWN, DRIVE_NO_ROOT_DIR, DRIVE_REMOVABLE, DRIVE_FIXED, DRIVE_REMOTE, DRIVE_CDROM, DRIVE_RAMDISK |
| volume_label | string | Volume label |
| local_path | string | Local path to the target file (ANSI) |
| local_path_unicode | string | Local path to the target file (Unicode) |
| net_name | string | Network share name |
| common_path_suffix | string | Common path suffix |
| show_window | string | Window display mode. For example: SHOW_NORMAL, SHOW_MAXIMIZED, SHOW_MINIMIZED |
| shortcut_name | string | Shortcut name |
| working_dir | string | Working directory path |
| relative_path | string | Relative path |
| cmd_args | string | Command-line arguments |
| icon_location | string | Icon location |
| hot_key | string | Keyboard shortcut combination |
Error codes
Parse errors
N/A
Runtime errors
| Error code | Message | Description | Post-action |
|---|---|---|---|
| - | cannot read custom destinations file [FILE_PATH] | An error occurred while reading or parsing the file | Query aborted |
Description
The custom-destinations-file command parses Windows Custom Destinations files and retrieves the LNK (shortcut) entries stored inside them. Unlike Automatic Destinations files which use OLE compound file format, Custom Destinations files are stored in binary format. The command searches for LNK signatures to extract each entry. A single Custom Destinations file can contain multiple LNK entries, and each entry is output as one record.
The command extracts the App ID from the file name and looks it up in the built-in App ID mapping table. If a match is found, the application name is assigned to the app_id field.
Examples
-
Querying a single Custom Destinations file
custom-destinations-file C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f01b4d95cf55d32a.customDestinations-msRetrieves LNK entries from the specified Custom Destinations file.
-
Querying multiple files with a wildcard
custom-destinations-file C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\*.customDestinations-msRetrieves all Custom Destinations files in the
CustomDestinationsdirectory. -
Querying a file inside a ZIP archive
custom-destinations-file zippath=D:\evidence\artifacts.zip CustomDestinations\*.customDestinations-msRetrieves Custom Destinations files from inside a ZIP archive.
-
Querying with a specified code page
custom-destinations-file codepage=utf-8 C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\*.customDestinations-msDecodes ANSI strings using the
utf-8code page. -
Filtering by drive type
custom-destinations-file C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\*.customDestinations-ms | search drive_type == "DRIVE_FIXED"Filters entries where the drive type is
DRIVE_FIXED.