LNK files windows 7

Posted on 2014-08-06
Medium Priority
Last Modified: 2014-08-21
On windows XP there used to be tons of fairly well hidden folders that contained LNK files for office type documents recently opened which could come in handy for forensics and/or basic trouble shooting.. Do you know if theres similar folders on windows 7 enterprise edition?

And also any idea where such folders may exist (if at all) on citrix xenapp/xendesktops server running server 2008? (accessed via WYSE terminals).

The XP ones were:
.\\Documents and Settings\UserName\Recent and
..\\Documents and Settings\UserName\Application Data\Microsoft\Office\Recent

Aside from these folders are there any other useful folders/files that keep a log of recently accessed files (ideally with the path).
Question by:pma111
  • 3
  • 2
  • 2
  • +1
LVL 57

Assisted Solution

McKnife earned 668 total points
ID: 40243656
It's still the same localtion: %userprofile%\recent
LVL 23

Accepted Solution

rhandels earned 668 total points
ID: 40243662
I think he means the folders.. These days they are located in another folder being C:\Users (if using English version) and the info for the all users is in C:\ProgramData.
Btw, a Citrix is nothing more than a "normal" W2K8 Server with an extra application (being Citrix Xenapp) on the server.

Author Comment

ID: 40243724
Rhandels does that mean any user who logs onto the citirx server would have an entry on the c:users folder ? That could consume the disk space quickly i would assume with lots of users logging on each day
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 23

Expert Comment

ID: 40243744
Hey pma111, yes that's right. When using an SBC server (server based computing with e.f. Citrix) you have a few options.

1. Delete the profiles after logoff. You do need to have roaming profiles though otherwise it won;t work. This is done using a windows policy and works quite well.
2. Remove old profiles using Citrix policy (this can delete old profiles i thought). Didn't really try this one because i always use roaming profiles and use option 1.
3. Move the profiles to a different drive making sure the server won;t stop working when your disk does hog up. We also did this because users cannot acces the C drive in our setup. Also lots of large profiles (over 1GB per user) so not enough diskspace on our C drive.

If you have a server with local profiles and a multitude of users logging in, it is indeed drama waiting to happen.
LVL 57

Expert Comment

ID: 40243771
Sorry, what is this question about? :) First, you said you wanted the locations of the recent folders for win7 and server 2008 - well, for both it is %userprofile%\recent just as it was with xp. %userprofile% will resolve to c:\users\username\.

Author Comment

ID: 40243797
Thanks rhandels
LVL 65

Assisted Solution

btan earned 664 total points
ID: 40243877
Some info
http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots#Recent Docs

Description: Recent Docs
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Why you care: It can be quite useful to know what files have been opened recently.

Description: User Assist
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Why you care: This key is suppose to contain information about programs and shortcuts accessed by the Windows GUI, including execution count and the date of last execution, but the way it's stored is less than obvious.

Description: Recently Opened Office Docs
Location: C:\Users\<user name>\AppData\Roaming\Microsoft\Office\Recent
Why you care: Yet another way to see what files someone has been accessing.
Or back to basic extracting NTUSER.DAT and using RegRipper  to surface the recent documents a logged in user can access. Also in Windows 7 you may have noticed those additions to your right-click menu, like recent history and in few instances application options.  These are jump lists, application specific tasks that are added to a programs right click menu.

It’s possible that one would assume that this information is pulled from the NTUSER.DAT file which contains recent document information.  This is not the case, examination of the PC will reveal that the jump list information at C:\Users\<USER NAME>\AppData\Roaming\Microsoft\Windows\Recent Items

However, with the secondary location on the PC can provide an examiner with something recoverable, a link (LNK) file.  Upon examination of the path some LNK files are going to be recoverable within the Recent Items folder. Recent Document information can also be found at:  C:\Users<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
LVL 65

Expert Comment

ID: 40243883
More on jump list and hints

Changing the number of Jump List items to display using the ‘Customize Start Menu’ dialog box resulted in the creation of the Registry value ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems’.

Similarly, changing the number of recent programs to display resulted in the creation of a value named ‘Start_MinMFU’ in the same Registry key.

After deselecting the option to ‘Store and display recently opened items in the Start menu and the taskbar’ from the ‘Taskbar and Start Menu Properties’ dialog box, a new value entitled ‘Start_TrackDocs’ was created within the same Registry key.  Additional experimentation identified that the data in this value is either ‘0’ when the feature is disabled or ‘1’ when enabled.

None of these values were present at first login.
LVL 65

Expert Comment

ID: 40266080
Also below can come in handy
a) Windows File Analyzer, free tool, reading and reporting on Windows shortcut files
b) Windows LNK Parsing Utility (lp), console application parse the SHLLINK format and extract much of the shortcut internals. It can further parsing a capture Image for such SHLLINK metadata  ...

While shortcut files can reside in just about any directory, the primary location for many shortcut files is: %APPDATA%\ Microsoft\ Windows\ Recent\ <shortcut files>, where the %APPDATA% is resolved to C:\Users\<user account>\AppData\Roaming. This is where the operating system automatically creates a shortcut based on a user double clicking on an application to launch it.
as well as Parsing Automatic and Custom Destinations files used for Jump Lists
From a forensics standpoint, Jump Lists are a good indicator of which files were recently opened or which websites were visited frequently.
Windows derives the Jump List content from two sets of Destination files:
a.      %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\[AppID].automaticDestinations-ms
b.      %APPDATA%\Microsoft\Windows\Recent\CustomDestinations\[AppID].customDestinations-ms
%APPDATA% is resolved to C:\Users\<user account>\AppData\Roaming. One can see that each user account (or profile) has its own set of Destination files.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question