LNK files windows 7

On windows XP there used to be tons of fairly well hidden folders that contained LNK files for office type documents recently opened which could come in handy for forensics and/or basic trouble shooting.. Do you know if theres similar folders on windows 7 enterprise edition?

And also any idea where such folders may exist (if at all) on citrix xenapp/xendesktops server running server 2008? (accessed via WYSE terminals).

The XP ones were:
.\\Documents and Settings\UserName\Recent and
..\\Documents and Settings\UserName\Application Data\Microsoft\Office\Recent

Aside from these folders are there any other useful folders/files that keep a log of recently accessed files (ideally with the path).
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
It's still the same localtion: %userprofile%\recent
0
rhandelsCommented:
I think he means the folders.. These days they are located in another folder being C:\Users (if using English version) and the info for the all users is in C:\ProgramData.
Btw, a Citrix is nothing more than a "normal" W2K8 Server with an extra application (being Citrix Xenapp) on the server.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Rhandels does that mean any user who logs onto the citirx server would have an entry on the c:users folder ? That could consume the disk space quickly i would assume with lots of users logging on each day
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

rhandelsCommented:
Hey pma111, yes that's right. When using an SBC server (server based computing with e.f. Citrix) you have a few options.

1. Delete the profiles after logoff. You do need to have roaming profiles though otherwise it won;t work. This is done using a windows policy and works quite well.
2. Remove old profiles using Citrix policy (this can delete old profiles i thought). Didn't really try this one because i always use roaming profiles and use option 1.
3. Move the profiles to a different drive making sure the server won;t stop working when your disk does hog up. We also did this because users cannot acces the C drive in our setup. Also lots of large profiles (over 1GB per user) so not enough diskspace on our C drive.

If you have a server with local profiles and a multitude of users logging in, it is indeed drama waiting to happen.
0
McKnifeCommented:
Sorry, what is this question about? :) First, you said you wanted the locations of the recent folders for win7 and server 2008 - well, for both it is %userprofile%\recent just as it was with xp. %userprofile% will resolve to c:\users\username\.
0
pma111Author Commented:
Thanks rhandels
0
btanExec ConsultantCommented:
Some info
http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots#Recent Docs

Description: Recent Docs
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Why you care: It can be quite useful to know what files have been opened recently.

Description: User Assist
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Why you care: This key is suppose to contain information about programs and shortcuts accessed by the Windows GUI, including execution count and the date of last execution, but the way it's stored is less than obvious.

Description: Recently Opened Office Docs
Location: C:\Users\<user name>\AppData\Roaming\Microsoft\Office\Recent
Why you care: Yet another way to see what files someone has been accessing.
Or back to basic extracting NTUSER.DAT and using RegRipper  to surface the recent documents a logged in user can access. Also in Windows 7 you may have noticed those additions to your right-click menu, like recent history and in few instances application options.  These are jump lists, application specific tasks that are added to a programs right click menu.

It’s possible that one would assume that this information is pulled from the NTUSER.DAT file which contains recent document information.  This is not the case, examination of the PC will reveal that the jump list information at C:\Users\<USER NAME>\AppData\Roaming\Microsoft\Windows\Recent Items

However, with the secondary location on the PC can provide an examiner with something recoverable, a link (LNK) file.  Upon examination of the path some LNK files are going to be recoverable within the Recent Items folder. Recent Document information can also be found at:  C:\Users<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
0
btanExec ConsultantCommented:
More on jump list and hints
http://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/

Changing the number of Jump List items to display using the ‘Customize Start Menu’ dialog box resulted in the creation of the Registry value ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems’.

Similarly, changing the number of recent programs to display resulted in the creation of a value named ‘Start_MinMFU’ in the same Registry key.

After deselecting the option to ‘Store and display recently opened items in the Start menu and the taskbar’ from the ‘Taskbar and Start Menu Properties’ dialog box, a new value entitled ‘Start_TrackDocs’ was created within the same Registry key.  Additional experimentation identified that the data in this value is either ‘0’ when the feature is disabled or ‘1’ when enabled.

None of these values were present at first login.
0
btanExec ConsultantCommented:
Also below can come in handy
a) Windows File Analyzer, free tool, reading and reporting on Windows shortcut files
b) Windows LNK Parsing Utility (lp), console application parse the SHLLINK format and extract much of the shortcut internals. It can further parsing a capture Image for such SHLLINK metadata  ...

While shortcut files can reside in just about any directory, the primary location for many shortcut files is: %APPDATA%\ Microsoft\ Windows\ Recent\ <shortcut files>, where the %APPDATA% is resolved to C:\Users\<user account>\AppData\Roaming. This is where the operating system automatically creates a shortcut based on a user double clicking on an application to launch it.
as well as Parsing Automatic and Custom Destinations files used for Jump Lists
From a forensics standpoint, Jump Lists are a good indicator of which files were recently opened or which websites were visited frequently.
Windows derives the Jump List content from two sets of Destination files:
a.      %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\[AppID].automaticDestinations-ms
b.      %APPDATA%\Microsoft\Windows\Recent\CustomDestinations\[AppID].customDestinations-ms
%APPDATA% is resolved to C:\Users\<user account>\AppData\Roaming. One can see that each user account (or profile) has its own set of Destination files.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.