Jump List

 

JumpList is a feature of Microsoft Windows operating systems that allows users to quickly access frequently used files, folders, and applications. This feature can be accessed by right-clicking on the taskbar icon or start menu tile of the target application. The JumpList registry holds the information that is displayed in the JumpList. This can be found multiple ways via Explorer File paths as well as within the registry itself.

Normal Behavior

JumpList is a useful feature for normal use cases, such as allowing users to quickly access recently opened files or frequently used applications. For example, if you frequently use Microsoft Word to create documents, you can add the “New Document” option to the JumpList for Microsoft Word. This will allow you to create a new document without having to open the application first.

To set the Maximum Jump List, you can Create a new DWORD(32-Bit Value) with the hex set and the numeric value you want under within the key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

If you wish to Disable JumpList, you can alternatively  Create a new  DWORD(32-Bit Value) named Start_TrackDocs with the hex value of 0. 

This is essentially ``Not Start Tracking your Docs``

Malicious Purposes

However, JumpList can also be used for malicious purposes. Attackers can manipulate the JumpList registry to include malicious links or files that, when clicked, will execute malicious code on the target system. This can lead to a compromise of the system, as well as the theft of sensitive information.

Finding JumpLists

To understand the JumpList registry, it is important to understand the structure of the registry itself. The registry is a hierarchical database that stores configuration information for the operating system, as well as for applications that run on the system. 

The JumpList was outdated in one of the windows 10 versions but the old location in the registry is located in the following path:

	OLD: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\JumpListItems

The new location, which is your best location is in the File Path:

C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations	

There are several keys within the JumpList registry that are of interest to security researchers and incident responders. These keys include:

• ~\Recent\Tasks: 

This key contains information about the tasks that are displayed in the JumpList.

• ~\Recent\DestList:

This key contains information about the files, folders, and applications that are displayed in the JumpList.

• ~\Recent:

This key contains information about the most recently used files and folders.

• ~\Recent\AutomaticDestinations: 

This key contains information about the files and folders that are automatically added to the JumpList.

• ~\Recent\CustomDestinations:

The \Recent\CustomDestinations key within the JumpList contains App information about custom destinations that are added to the JumpList. Custom destinations are items that are manually added to the JumpList, as opposed to items that are automatically added based on user activity. These items may include task bar pin, files, folders, or applications that are frequently accessed by the user.

Similar to the MRU List, there is an MRUListEx (Most Recent List Executed) which shows in order the list of last executed docs. The individual key will hold the Link location and date, while the MRUListEx will reference the order. This can be found in:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Decrypt Recent AppID

You can use programs to decypher which ID is what programs or to search the file for the answer. You can however get a common list from: 

• https://dfir.to/EZJumpList
• https://github.com/EricZimmerman/JumpList/blob/master/JumpList/Resources/AppIDs.txt

Feel free to use these test ID as an example from the image:

1. 1b4dd67f29cb1962
2. 5f7b5f1e01b83767
3. 3353b940c074fd0c
4. 6824f4a902c78fbd
5. dd7c3b1adb1c168b
6. f01b4d95cf55d32a

A detailed analysis of the JumpList registry and its use in malicious activity can be found in the SANS Poster on JumpList Forensics. This poster provides proof of execution, as well as step-by-step instructions on how to analyze the JumpList registry.

https://www.sans.org/posters/windows-forensic-analysis/

Additional Jump List Sources:

• How to Increase Jump List Items on Windows 10 and 11