lnk-file
Parses Windows LNK (Shell Link) shortcut files and retrieves metadata such as target file information, paths, and timestamps. Used for user activity analysis and tracking malware execution traces.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Licensed command |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
zippath=STR- Path to a ZIP file containing LNK files. Use this when retrieving LNK files directly from inside a ZIP file.
zipcharset=STR- Character set for ZIP file entries. (Default:
utf-8) codepage=STR- Windows default code page used to decode ANSI strings inside the LNK file. (Default:
euc-kr)
Target
FILE_PATH- Path to the LNK file to retrieve. You can use wildcards (
*) to specify multiple files.
Output fields
| Field | Type | Description |
|---|---|---|
_file | string | LNK file name |
file_ctime | timestamp | Creation time of the LNK file itself |
file_mtime | timestamp | Modification time of the LNK file itself |
file_atime | timestamp | Access time of the LNK file itself |
target_file_size | long | Size of the shortcut target file (bytes) |
target_file_attrs | array | List of attribute flags for the shortcut target file. Applicable values from: READONLY, HIDDEN, SYSTEM, DIRECTORY, ARCHIVE, DEVICE, NORMAL, TEMPORARY, SPARSE_FILE, REPARSE_POINT, COMPRESSED, OFFLINE, NOT_CONTENT_INDEXED, ENCRYPTED, VIRTUAL |
target_file_ctime | timestamp | Creation time of the shortcut target file |
target_file_mtime | timestamp | Modification time of the shortcut target file |
target_file_atime | timestamp | Access time of the shortcut target file |
drive_serial | long | Drive serial number of the volume where the target file is located |
drive_type | string | Drive type of the volume where the target file is located. One of: DRIVE_UNKNOWN, DRIVE_NO_ROOT_DIR, DRIVE_REMOVABLE, DRIVE_FIXED, DRIVE_REMOTE, DRIVE_CDROM, DRIVE_RAMDISK |
volume_label | string | Label of the volume where the target file is located |
local_path | string | Local base path of the target file (ANSI) |
local_path_unicode | string | Local base path of the target file (Unicode) |
net_name | string | Network share name of the target file |
common_path_suffix | string | Common path suffix |
show_window | string | Window display mode when the shortcut is launched. Such as SHOW_NORMAL, SHOW_MAXIMIZED, SHOW_MIN_NO_ACTIVE, etc. |
shortcut_name | string | Shortcut name |
working_dir | string | Working directory when the shortcut is launched |
relative_path | string | Relative path to the shortcut target file |
cmd_args | string | Command line arguments passed when the shortcut is launched |
icon_location | string | Path to the shortcut icon file |
hot_key | string | Shortcut hotkey (e.g., CTRL + ALT + A) |
Error codes
Parse errors
N/A
Runtime errors
| Error code | Message | Description | Post-action |
|---|---|---|---|
| - | cannot read lnk file {file path} | When the LNK file cannot be read | Terminates query execution |
Description
The lnk-file command parses the Windows Shell Link (.lnk) binary format and retrieves metadata contained in the shortcut file. LNK files contain not only the path, timestamps, size, and attributes of the target file, but also information such as the window display mode when launched, command line arguments, and working directory.
The command distinguishes between the filesystem timestamps of the LNK file itself (file_ctime, file_mtime, file_atime) and the timestamps of the target file recorded inside the LNK file (target_file_ctime, target_file_mtime, target_file_atime). When reading an LNK file from a ZIP file, the ZIP entry's timestamps are used as the filesystem timestamps.
ANSI strings inside the LNK file are decoded using the code page specified with the codepage option. For LNK files created on Korean Windows systems, the default value of euc-kr can be used. When analyzing LNK files created on other language Windows systems, the appropriate code page must be specified.
Each LNK file outputs one record. Whether volume information and local path-related fields are included or omitted depends on the presence of LinkInfo in the LNK file.
Examples
-
Retrieve an LNK file
lnk-file /opt/logpresso/evidence/Recent/document.lnkRetrieves shortcut metadata from the specified LNK file.
-
Retrieve multiple LNK files at once
lnk-file /opt/logpresso/evidence/Recent/*.lnkRetrieves shortcut metadata from all LNK files in the specified directory.
-
Retrieve LNK files inside a ZIP file
lnk-file zippath=/opt/logpresso/evidence/artifacts.zip Recent/*.lnkRetrieves all LNK files in the
Recentdirectory inside the ZIP file. -
Retrieve LNK files from a Japanese Windows system by specifying the code page
lnk-file codepage=shift_jis /opt/logpresso/evidence/Recent/*.lnkDecodes LNK files created on a Japanese Windows system using the Shift_JIS code page.
-
Filter LNK files that contain command line arguments
lnk-file /opt/logpresso/evidence/Recent/*.lnk | search isnotnull(cmd_args)Filters only LNK files that contain command line arguments. This can identify cases where malware is launched via command line arguments.