Jump Lists
What is Jump Lists?
Jump ListsPer-application history files keyed by Windows AppID that record the recent files and tasks a user opened, providing strong evidence of file access tied to a specific program.
Jump Lists store the recent and frequently used items a user accessed through each application's taskbar context menu. Windows maintains two stores under each user profile: AutomaticDestinations (*.automaticDestinations-ms), generated by Windows, and CustomDestinations (*.customDestinations-ms), populated by applications. Each file is named with the application's AppID hash and uses a compound OLE structured-storage container that wraps LNK-style ShellLink streams with full path, MAC times, file size, and network or volume metadata. Forensic analysts use Jump Lists to prove that a user opened a particular document with a particular program, recover names of since-deleted files, and tie activity to a specific account. JLECmd is the standard parser.
● Examples
- 01
Proving that confidential.docx was opened in Microsoft Word by the user before exfiltration.
- 02
Recovering URLs that a user visited in a browser whose history was wiped, via the browser's Jump List.
● Frequently asked questions
What is Jump Lists?
Per-application history files keyed by Windows AppID that record the recent files and tasks a user opened, providing strong evidence of file access tied to a specific program. It belongs to the Forensics & IR category of cybersecurity.
What does Jump Lists mean?
Per-application history files keyed by Windows AppID that record the recent files and tasks a user opened, providing strong evidence of file access tied to a specific program.
How does Jump Lists work?
Jump Lists store the recent and frequently used items a user accessed through each application's taskbar context menu. Windows maintains two stores under each user profile: AutomaticDestinations (*.automaticDestinations-ms), generated by Windows, and CustomDestinations (*.customDestinations-ms), populated by applications. Each file is named with the application's AppID hash and uses a compound OLE structured-storage container that wraps LNK-style ShellLink streams with full path, MAC times, file size, and network or volume metadata. Forensic analysts use Jump Lists to prove that a user opened a particular document with a particular program, recover names of since-deleted files, and tie activity to a specific account. JLECmd is the standard parser.
How do you defend against Jump Lists?
Defences for Jump Lists typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Jump Lists?
Common alternative names include: JumpLists, AutomaticDestinations, CustomDestinations.
● Related terms
- forensics-ir№ 1031
Shellbags
Registry keys that store per-user Windows Explorer folder-view settings and serve as forensic evidence that a specific user viewed a specific folder, including removable and network paths.
- forensics-ir№ 850
Prefetch Files
Windows .pf files in C:\Windows\Prefetch that record process startup data and provide strong forensic evidence that an executable ran on a system.
- forensics-ir№ 043
Amcache.hve
A Windows registry hive that records detailed metadata about every executable that has run or been present on a system, including SHA-1 hashes, providing strong execution evidence on modern Windows.
- forensics-ir№ 677
MFT (Master File Table)
The core NTFS metadata structure that stores one 1024-byte record per file or directory on a volume, anchoring nearly all Windows file-system forensics.
- forensics-ir№ 001
$UsnJrnl ($J)
The NTFS Update Sequence Number change journal that records every file-system operation, giving forensic investigators a high-resolution timeline of file creation, modification, and deletion.