Pau Lo
asked on
LNK files windows 7
On windows XP there used to be tons of fairly well hidden folders that contained LNK files for office type documents recently opened which could come in handy for forensics and/or basic trouble shooting.. Do you know if theres similar folders on windows 7 enterprise edition?
And also any idea where such folders may exist (if at all) on citrix xenapp/xendesktops server running server 2008? (accessed via WYSE terminals).
The XP ones were:
.\\Documents and Settings\UserName\Recent and
..\\Documents and Settings\UserName\Applicat
Aside from these folders are there any other useful folders/files that keep a log of recently accessed files (ideally with the path).
And also any idea where such folders may exist (if at all) on citrix xenapp/xendesktops server running server 2008? (accessed via WYSE terminals).
The XP ones were:
.\\Documents and Settings\UserName\Recent and
..\\Documents and Settings\UserName\Applicat
Aside from these folders are there any other useful folders/files that keep a log of recently accessed files (ideally with the path).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hey pma111, yes that's right. When using an SBC server (server based computing with e.f. Citrix) you have a few options.
1. Delete the profiles after logoff. You do need to have roaming profiles though otherwise it won;t work. This is done using a windows policy and works quite well.
2. Remove old profiles using Citrix policy (this can delete old profiles i thought). Didn't really try this one because i always use roaming profiles and use option 1.
3. Move the profiles to a different drive making sure the server won;t stop working when your disk does hog up. We also did this because users cannot acces the C drive in our setup. Also lots of large profiles (over 1GB per user) so not enough diskspace on our C drive.
If you have a server with local profiles and a multitude of users logging in, it is indeed drama waiting to happen.
1. Delete the profiles after logoff. You do need to have roaming profiles though otherwise it won;t work. This is done using a windows policy and works quite well.
2. Remove old profiles using Citrix policy (this can delete old profiles i thought). Didn't really try this one because i always use roaming profiles and use option 1.
3. Move the profiles to a different drive making sure the server won;t stop working when your disk does hog up. We also did this because users cannot acces the C drive in our setup. Also lots of large profiles (over 1GB per user) so not enough diskspace on our C drive.
If you have a server with local profiles and a multitude of users logging in, it is indeed drama waiting to happen.
Sorry, what is this question about? :) First, you said you wanted the locations of the recent folders for win7 and server 2008 - well, for both it is %userprofile%\recent just as it was with xp. %userprofile% will resolve to c:\users\username\.
ASKER
Thanks rhandels
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
More on jump list and hints
http://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/
http://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/
Changing the number of Jump List items to display using the ‘Customize Start Menu’ dialog box resulted in the creation of the Registry value ‘HKCU\Software\Microsoft\Windows\Cur rentVersio n\Explorer \Advanced\ Start_Jump ListItems’ .
Similarly, changing the number of recent programs to display resulted in the creation of a value named ‘Start_MinMFU’ in the same Registry key.
After deselecting the option to ‘Store and display recently opened items in the Start menu and the taskbar’ from the ‘Taskbar and Start Menu Properties’ dialog box, a new value entitled ‘Start_TrackDocs’ was created within the same Registry key. Additional experimentation identified that the data in this value is either ‘0’ when the feature is disabled or ‘1’ when enabled.
None of these values were present at first login.
Also below can come in handy
a) Windows File Analyzer, free tool, reading and reporting on Windows shortcut files
b) Windows LNK Parsing Utility (lp), console application parse the SHLLINK format and extract much of the shortcut internals. It can further parsing a capture Image for such SHLLINK metadata ...
a) Windows File Analyzer, free tool, reading and reporting on Windows shortcut files
b) Windows LNK Parsing Utility (lp), console application parse the SHLLINK format and extract much of the shortcut internals. It can further parsing a capture Image for such SHLLINK metadata ...
While shortcut files can reside in just about any directory, the primary location for many shortcut files is: %APPDATA%\ Microsoft\ Windows\ Recent\ <shortcut files>, where the %APPDATA% is resolved to C:\Users\<user account>\AppData\Roaming. This is where the operating system automatically creates a shortcut based on a user double clicking on an application to launch it.as well as Parsing Automatic and Custom Destinations files used for Jump Lists
From a forensics standpoint, Jump Lists are a good indicator of which files were recently opened or which websites were visited frequently.
Windows derives the Jump List content from two sets of Destination files:
a. %APPDATA%\Microsoft\Windows\Recent\A utomaticDe stinations \[AppID].a utomaticDe stinations -ms
b. %APPDATA%\Microsoft\Windows\Recent\C ustomDesti nations\[A ppID].cust omDestinat ions-ms
%APPDATA% is resolved to C:\Users\<user account>\AppData\Roaming. One can see that each user account (or profile) has its own set of Destination files.
ASKER