analyzing-lnk-file-and-jump-list-artifacts

Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.

16 stars

byplurigrid

View on GitHub Installation ↓

Best use case

analyzing-lnk-file-and-jump-list-artifacts is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using analyzing-lnk-file-and-jump-list-artifacts should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md --create-dirs "https://raw.githubusercontent.com/plurigrid/asi/main/plugins/asi/skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How analyzing-lnk-file-and-jump-list-artifacts Compares

Feature / Agent	analyzing-lnk-file-and-jump-list-artifacts	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Analyzing LNK File and Jump List Artifacts

## Overview

Windows LNK (shortcut) files and Jump Lists are critical forensic artifacts that provide evidence of file access, program execution, and user behavior. LNK files are created automatically when a user opens a file through Windows Explorer or the Open/Save dialog, storing metadata about the target file including its original path, timestamps, volume serial number, NetBIOS name, and MAC address of the host system. Jump Lists, introduced in Windows 7, extend this by maintaining per-application lists of recently and frequently accessed files. These artifacts persist even after the target files are deleted, making them invaluable for establishing that a user accessed specific files at specific times.


## When to Use

- When investigating security incidents that require analyzing lnk file and jump list artifacts
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques

## Prerequisites

- LECmd (Eric Zimmerman) for LNK file parsing
- JLECmd (Eric Zimmerman) for Jump List parsing
- Python 3.8+ with pylnk3 or LnkParse3 libraries
- Forensic image or triage collection from Windows system
- Timeline Explorer for CSV analysis

## LNK File Locations

| Location | Description |
|----------|-------------|
| `%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\` | Recent files accessed |
| `%USERPROFILE%\Desktop\` | User-created shortcuts |
| `%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\` | Start Menu shortcuts |
| `%USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent\` | Office recent documents |

## LNK File Structure

### Shell Link Header (76 bytes)

| Offset | Size | Field |
|--------|------|-------|
| 0x00 | 4 | HeaderSize (always 0x0000004C) |
| 0x04 | 16 | LinkCLSID (always 00021401-0000-0000-C000-000000000046) |
| 0x14 | 4 | LinkFlags |
| 0x18 | 4 | FileAttributes |
| 0x1C | 8 | CreationTime (FILETIME) |
| 0x24 | 8 | AccessTime (FILETIME) |
| 0x2C | 8 | WriteTime (FILETIME) |
| 0x34 | 4 | FileSize of target |
| 0x38 | 4 | IconIndex |
| 0x3C | 4 | ShowCommand |
| 0x40 | 2 | HotKey |

### Key Forensic Fields in LNK Files

- **Target file timestamps**: Creation, access, modification times of the referenced file
- **Volume information**: Serial number, drive type, volume label
- **Network share information**: UNC path, share name
- **Machine identifiers**: NetBIOS name, MAC address (from TrackerDataBlock)
- **Distributed Link Tracking**: Machine ID and object GUID

## Analysis with EZ Tools

### LECmd - LNK File Parser

```powershell
# Parse all LNK files in Recent folder
LECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent" --csv C:\Output --csvf lnk_analysis.csv

# Parse a single LNK file with full details
LECmd.exe -f "C:\Evidence\Users\suspect\Desktop\Confidential.docx.lnk" --json C:\Output

# Parse LNK files with additional detail levels
LECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent" --csv C:\Output --csvf lnk_all.csv --all
```

### JLECmd - Jump List Parser

```powershell
# Parse Automatic Jump Lists
JLECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv C:\Output --csvf jumplists_auto.csv

# Parse Custom Jump Lists
JLECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations" --csv C:\Output --csvf jumplists_custom.csv

# Parse all jump lists with detailed output
JLECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv C:\Output --csvf jumplists_auto.csv --ld
```

## Jump List Structure

### Automatic Destinations (automaticDestinations-ms)

These are OLE Compound files (Structured Storage) identified by AppID hash in the filename:

| AppID Hash | Application |
|-----------|-------------|
| 5f7b5f1e01b83767 | Windows Explorer Pinned/Frequent |
| 1b4dd67f29cb1962 | Windows Explorer Recent |
| 9b9cdc69c1c24e2b | Notepad |
| a7bd71699cd38d1c | Notepad++ |
| 12dc1ea8e34b5a6 | Microsoft Paint |
| 7e4dca80246863e3 | Control Panel |
| 1cf97c38a5881255 | Microsoft Edge |
| f01b4d95cf55d32a | Windows Explorer |
| 9d1f905ce5044aee | Microsoft Excel |
| a4a5324453625195 | Microsoft Word |
| d00655d2aa12ff6d | Microsoft PowerPoint |
| bc03160ee1a59fc1 | Outlook |

### Custom Destinations (customDestinations-ms)

Created when users pin items to application jump lists. These files contain sequential LNK entries.

## Python Analysis Script

```python
import struct
import os
from datetime import datetime, timedelta

FILETIME_EPOCH = datetime(1601, 1, 1)

def filetime_to_datetime(filetime_bytes: bytes) -> datetime:
    """Convert Windows FILETIME (100-ns intervals since 1601) to datetime."""
    ft = struct.unpack("<Q", filetime_bytes)[0]
    if ft == 0:
        return None
    return FILETIME_EPOCH + timedelta(microseconds=ft // 10)

def parse_lnk_header(lnk_path: str) -> dict:
    """Parse the Shell Link header from an LNK file."""
    with open(lnk_path, "rb") as f:
        header = f.read(76)

    header_size = struct.unpack("<I", header[0:4])[0]
    if header_size != 0x4C:
        return {"error": "Invalid LNK header"}

    link_flags = struct.unpack("<I", header[0x14:0x18])[0]
    file_attrs = struct.unpack("<I", header[0x18:0x1C])[0]

    result = {
        "header_size": header_size,
        "link_flags": hex(link_flags),
        "file_attributes": hex(file_attrs),
        "creation_time": filetime_to_datetime(header[0x1C:0x24]),
        "access_time": filetime_to_datetime(header[0x24:0x2C]),
        "write_time": filetime_to_datetime(header[0x2C:0x34]),
        "file_size": struct.unpack("<I", header[0x34:0x38])[0],
        "has_target_id_list": bool(link_flags & 0x01),
        "has_link_info": bool(link_flags & 0x02),
        "has_name": bool(link_flags & 0x04),
        "has_relative_path": bool(link_flags & 0x08),
        "has_working_dir": bool(link_flags & 0x10),
        "has_arguments": bool(link_flags & 0x20),
        "has_icon_location": bool(link_flags & 0x40),
    }
    return result
```

## Investigation Use Cases

### Evidence of File Access
1. Parse LNK files from Recent folder to identify accessed documents
2. Cross-reference with MFT timestamps and USN Journal entries
3. Note that LNK files persist even after target files are deleted

### Removable Media Access
1. LNK files referencing drive letters E:, F:, G: indicate removable media usage
2. Volume serial number in LNK identifies the specific device
3. MAC address in TrackerDataBlock identifies the source machine

### Network Share Activity
1. LNK files with UNC paths (\\server\share) indicate network file access
2. NetBIOS name identifies the remote server
3. Timestamps establish when access occurred

## Differences Between Windows 10 and Windows 11

Recent research (IEEE 2025) shows that Windows 11 produces different LNK and Jump List artifacts:
- Fewer automatic LNK files generated for certain file types
- Modified Jump List behavior for modern applications
- UWP/MSIX applications may not generate traditional Jump Lists
- Windows 11 Quick Access replaces some Recent functionality

## References

- Shell Link Binary File Format: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/
- Magnet Forensics LNK Analysis: https://www.magnetforensics.com/blog/forensic-analysis-of-lnk-files/
- Jump Lists Forensics 2025: https://www.cybertriage.com/blog/jump-list-forensics-2025/
- Eric Zimmerman's LECmd/JLECmd: https://ericzimmerman.github.io/

## Example Output

```text
$ LECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent" --csv /analysis/lnk_output

LECmd v1.11.0 - LNK File Parser
================================

Processing 47 LNK files...

--- LNK File: Q4_Report.xlsx.lnk ---
  Source:           C:\Evidence\Users\jsmith\Recent\Q4_Report.xlsx.lnk
  Target Path:      C:\Users\jsmith\Downloads\Q4_Report.xlsm
  Target Created:   2024-01-15 14:33:45 UTC
  Target Modified:  2024-01-15 14:33:45 UTC
  Target Accessed:  2024-01-15 14:35:12 UTC
  File Size:        251,904 bytes
  Drive Type:       Fixed (C:)
  Volume Serial:    A4E7-3F21
  Machine ID:       DESKTOP-J5M1TH
  MAC Address:      48:2A:E3:5C:9B:01

--- LNK File: update_client.exe.lnk ---
  Source:           C:\Evidence\Users\jsmith\Recent\update_client.exe.lnk
  Target Path:      C:\ProgramData\Updates\update_client.exe
  Target Created:   2024-01-15 14:34:02 UTC
  Target Modified:  2024-01-15 14:34:02 UTC
  Target Accessed:  2024-01-15 14:36:30 UTC
  File Size:        1,258,496 bytes
  Drive Type:       Fixed (C:)
  Volume Serial:    A4E7-3F21
  Machine ID:       DESKTOP-J5M1TH
  Working Dir:      C:\ProgramData\Updates
  Arguments:        --silent --no-update-check
  Run Window:       Hidden

======================================================================

$ JLECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv /analysis/jumplist_output

JLECmd v1.5.0 - Jump List Parser
==================================

Processing 23 AutomaticDestinations files...

--- Application: Microsoft Excel (AppID: 12dc1ea8e34b5a6) ---
  Entries: 15
  Most Recent:
    Entry 0:  C:\Users\jsmith\Downloads\Q4_Report.xlsm         (2024-01-15 14:35:12 UTC)
    Entry 1:  \\FILESERV01\Finance\Budget_2024.xlsx             (2024-01-14 09:22:30 UTC)
    Entry 2:  C:\Users\jsmith\Documents\Expenses\Dec2023.xlsx   (2024-01-10 16:45:00 UTC)

--- Application: Windows Explorer (AppID: f01b4d95cf55d32a) ---
  Entries: 28
  Most Recent:
    Entry 0:  C:\ProgramData\Updates\                           (2024-01-15 14:36:25 UTC)
    Entry 1:  E:\Backup\                                        (2024-01-15 15:30:00 UTC)
    Entry 2:  \\FILESERV01\HR\Employees\                        (2024-01-15 16:12:45 UTC)

--- Application: cmd.exe (AppID: 9b9cdc69c1c24e2b) ---
  Entries: 5
  Most Recent:
    Entry 0:  C:\Windows\System32\cmd.exe                       (2024-01-15 14:36:00 UTC)

Summary:
  Total LNK files processed:    47
  Total Jump List entries:       156
  Suspicious artifacts:          3 (hidden window execution, USB drive access, network shares)
  CSV exported to:               /analysis/lnk_output/ and /analysis/jumplist_output/
```

Related Skills

tmp-filesystem-watcher

from plurigrid/asi

Real-time filesystem watcher for /tmp using Babashka fs.

recovering-deleted-files-with-photorec

from plurigrid/asi

Recover deleted files from disk images and storage media using PhotoRec's file signature-based carving engine regardless of file system damage.

investigating-ransomware-attack-artifacts

from plurigrid/asi

Identify, collect, and analyze ransomware attack artifacts to determine the variant, initial access vector, encryption scope, and recovery options.

implementing-file-integrity-monitoring-with-aide

from plurigrid/asi

Configure AIDE (Advanced Intrusion Detection Environment) for file integrity monitoring including baseline creation, scheduled integrity checks, change detection, and alerting

implementing-code-signing-for-artifacts

from plurigrid/asi

This skill covers implementing code signing for build artifacts to ensure integrity and authenticity throughout the software supply chain. It addresses signing binaries, packages, and containers using GPG, Sigstore, and platform-specific signing tools, establishing trust chains, and verifying signatures in deployment pipelines.

implementing-application-whitelisting-with-applocker

from plurigrid/asi

Implements application whitelisting using Windows AppLocker to restrict unauthorized software execution on endpoints, reducing attack surface from malware, unauthorized tools, and shadow IT. Use when enforcing application control policies, meeting compliance requirements for software restriction, or preventing execution of unsigned or untrusted binaries. Activates for requests involving AppLocker, application whitelisting, software restriction, or executable control.

file-organizer

from plurigrid/asi

Intelligently organizes your files and folders across your computer by

extracting-windows-event-logs-artifacts

from plurigrid/asi

Extract, parse, and analyze Windows Event Logs (EVTX) using Chainsaw, Hayabusa, and EvtxECmd to detect lateral movement, persistence, and privilege escalation.

extracting-memory-artifacts-with-rekall

from plurigrid/asi

Uses Rekall memory forensics framework to analyze memory dumps for process hollowing, injected code via VAD anomalies, hidden processes, and rootkit detection. Applies plugins like pslist, psscan, vadinfo, malfind, and dlllist to extract forensic artifacts from Windows memory images. Use during incident response memory analysis.

extracting-browser-history-artifacts

from plurigrid/asi

Extract and analyze browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge for forensic evidence of user web activity.

detecting-fileless-malware-techniques

from plurigrid/asi

Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk. Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI persistence examination.

detecting-fileless-attacks-on-endpoints

from plurigrid/asi

Detects fileless malware and in-memory attacks that execute entirely in RAM without writing persistent files to disk, evading traditional antivirus. Use when building detections for PowerShell-based attacks, reflective DLL injection, WMI persistence, and registry-resident malware. Activates for requests involving fileless malware detection, in-memory attacks, PowerShell exploitation, or living-off-the-land techniques.