MISC

Some random artefacts that don't into other categories.

Notifications

Contains a list of the recents notifications displayed to a user. It is a SQLite file, with interesting data in the Notifications table.

The Clear Notification button does not empty this DB.

\Users\<username>\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db

RecentDocs

Contains a list of recents opened documents, ordered by extensions.

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\

JumpList

The Windows 7-10 task bar (Jump List) is engineered to allow users to “jump” or access items they have frequently or recently used quickly and easily.

Location

This path isn't accessible when browsing, it needs to be typed. AutomaticDestinations correspond to the entries created by the system iteself upon certains user actions. CustomDesinations are created by the user.

%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

Data available

The AutomaticDestinations-ms and CustomDestination-ms are basically a list of LNKs.

  • ApplicationID info - contained in the first part of the name of the file. This application ID is built from the path of the executable. It can be used to identify known application started from another path.

  • Number of entries

  • For each entries :

    • Path of the file.

    • Creation and last modification

    • File size

    • MFT entry number

    • Hostname, mac addr

    • Interaction count

    • Volume information

Parser

Volume Shadow Copies

System providing point in time backup of a system.

The VSS service settings are set in the following key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS

The files to exclude are specified in the following key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore

PreviousRegistryNextExecution / User activities

Last updated

Was this helpful?