explainx.ainewsletter3.4k
analyzing-lnk-file-and-jump-list-artifacts

analyzing-lnk-file-and-jump-list-artifacts

mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/analyzing-lnk-file-and-jump-list-artifacts
0 commentsdiscussion
summary

Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.

skill.md
name
analyzing-lnk-file-and-jump-list-artifacts
description
Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
domain
cybersecurity
subdomain
digital-forensics
tags
- lnk-files - jump-lists - lecmd - jlecmd - windows-forensics - shell-link - user-activity - file-access - program-execution - recent-files
version
'1.0'
author
mahipal
license
Apache-2.0
nist_csf
- RS.AN-01 - RS.AN-03 - DE.AE-02 - RS.MA-01

Analyzing LNK File and Jump List Artifacts

Overview

Windows LNK (shortcut) files and Jump Lists are critical forensic artifacts that provide evidence of file access, program execution, and user behavior. LNK files are created automatically when a user opens a file through Windows Explorer or the Open/Save dialog, storing metadata about the target file including its original path, timestamps, volume serial number, NetBIOS name, and MAC address of the host system. Jump Lists, introduced in Windows 7, extend this by maintaining per-application lists of recently and frequently accessed files. These artifacts persist even after the target files are deleted, making them invaluable for establishing that a user accessed specific files at specific times.

When to Use

  • When investigating security incidents that require analyzing lnk file and jump list artifacts
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • LECmd (Eric Zimmerman) for LNK file parsing
  • JLECmd (Eric Zimmerman) for Jump List parsing
  • Python 3.8+ with pylnk3 or LnkParse3 libraries
  • Forensic image or triage collection from Windows system
  • Timeline Explorer for CSV analysis

LNK File Locations

LocationDescription
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\Recent files accessed
%USERPROFILE%\Desktop\User-created shortcuts
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Start Menu shortcuts
%USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent\Office recent documents

LNK File Structure

Shell Link Header (76 bytes)

OffsetSizeField
0x004HeaderSize (always 0x0000004C)
0x0416LinkCLSID (always 00021401-0000-0000-C000-000000000046)
0x144LinkFlags
0x184FileAttributes
0x1C8CreationTime (FILETIME)
0x248AccessTime (FILETIME)
0x2C8WriteTime (FILETIME)
0x344FileSize of target
0x384IconIndex
0x3C4ShowCommand
0x402HotKey

Key Forensic Fields in LNK Files

  • Target file timestamps: Creation, access, modification times of the referenced file
  • Volume information: Serial number, drive type, volume label
  • Network share information: UNC path, share name
  • Machine identifiers: NetBIOS name, MAC address (from TrackerDataBlock)
  • Distributed Link Tracking: Machine ID and object GUID

Analysis with EZ Tools

LECmd - LNK File Parser

# Parse all LNK files in Recent folder
LECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent" --csv C:\Output --csvf lnk_analysis.csv

# Parse a single LNK file with full details
LECmd.exe -f "C:\Evidence\Users\suspect\Desktop\Confidential.docx.lnk" --json C:\Output

# Parse LNK files with additional detail levels
LECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent" --csv C:\Output --csvf lnk_all.csv --all

JLECmd - Jump List Parser

# Parse Automatic Jump Lists
JLECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv C:\Output --csvf jumplists_auto.csv

# Parse Custom Jump Lists
JLECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations" --csv C:\Output --csvf jumplists_custom.csv

# Parse all jump lists with detailed output
JLECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv C:\Output --csvf jumplists_auto.csv --ld

Jump List Structure

Automatic Destinations (automaticDestinations-ms)

These are OLE Compound files (Structured Storage) identified by AppID hash in the filename:

AppID HashApplication
5f7b5f1e01b83767Windows Explorer Pinned/Frequent
1b4dd67f29cb1962Windows Explorer Recent
9b9cdc69c1c24e2bNotepad
a7bd71699cd38d1cNotepad++
12dc1ea8e34b5a6Microsoft Paint
7e4dca80246863e3Control Panel
1cf97c38a5881255Microsoft Edge
f01b4d95cf55d32aWindows Explorer
9d1f905ce5044aeeMicrosoft Excel
a4a5324453625195Microsoft Word
d00655d2aa12ff6dMicrosoft PowerPoint
bc03160ee1a59fc1Outlook

Custom Destinations (customDestinations-ms)

Created when users pin items to application jump lists. These files contain sequential LNK entries.

Python Analysis Script

import struct
import os
from datetime import datetime, timedelta

FILETIME_EPOCH = datetime(1601, 1, 1)

def filetime_to_datetime(filetime_bytes: bytes) -> datetime:
    """Convert Windows FILETIME (100-ns intervals since 1601) to datetime."""
    ft = struct.unpack("<Q", filetime_bytes)[0]
    if ft == 0:
        return None
    return FILETIME_EPOCH + timedelta(microseconds=ft // 10)

def parse_lnk_header(lnk_path: str) -> dict:
    """Parse the Shell Link header from an LNK file."""
    with open(lnk_path, "rb") as f:
        header = f.read(76)

    header_size = struct.unpack("<I", header[0:4])[0]
    if header_size != 0x4C:
        return {"error": "Invalid LNK header"}

    link_flags = struct.unpack("<I", header[0x14:0x18])[0]
    file_attrs = struct.unpack("<I", header[0x18:0x1C])[0]

    result = {
        "header_size": header_size,
        "link_flags": hex(link_flags),
        "file_attributes": hex(file_attrs),
        "creation_time": filetime_to_datetime(header[0x1C:0x24]),
        "access_time": filetime_to_datetime(header[0x24:0x2C]),
        "write_time": filetime_to_datetime(header[0x2C:0x34]),
        "file_size": struct.unpack("<I", header[0x34:0x38])[0],
        "has_target_id_list": bool(link_flags & 0x01),
        "has_link_info": bool(link_flags & 0x02),
        "has_name": bool(link_flags & 0x04),
        "has_relative_path": bool(link_flags & 0x08),
        "has_working_dir": bool(link_flags & 0x10),
        "has_arguments": bool(link_flags & 0x20),
        "has_icon_location": bool(link_flags & 0x40),
    }
    return result

Investigation Use Cases

Evidence of File Access

  1. Parse LNK files from Recent folder to identify accessed documents
  2. Cross-reference with MFT timestamps and USN Journal entries
  3. Note that LNK files persist even after target files are deleted

Removable Media Access

  1. LNK files referencing drive letters E:, F:, G: indicate removable media usage
  2. Volume serial number in LNK identifies the specific device
  3. MAC address in TrackerDataBlock identifies the source machine

Network Share Activity

  1. LNK files with UNC paths (\server\share) indicate network file access
  2. NetBIOS name identifies the remote server
  3. Timestamps establish when access occurred

Differences Between Windows 10 and Windows 11

Recent research (IEEE 2025) shows that Windows 11 produces different LNK and Jump List artifacts:

  • Fewer automatic LNK files generated for certain file types
  • Modified Jump List behavior for modern applications
  • UWP/MSIX applications may not generate traditional Jump Lists
  • Windows 11 Quick Access replaces some Recent functionality

References

Example Output

$ LECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent" --csv /analysis/lnk_output

LECmd v1.11.0 - LNK File Parser
================================

Processing 47 LNK files...

--- LNK File: Q4_Report.xlsx.lnk ---
  Source:           C:\Evidence\Users\jsmith\Recent\Q4_Report.xlsx.lnk
  Target Path:      C:\Users\jsmith\Downloads\Q4_Report.xlsm
  Target Created:   2024-01-15 14:33:45 UTC
  Target Modified:  2024-01-15 14:33:45 UTC
  Target Accessed:  2024-01-15 14:35:12 UTC
  File Size:        251,904 bytes
  Drive Type:       Fixed (C:)
  Volume Serial:    A4E7-3F21
  Machine ID:       DESKTOP-J5M1TH
  MAC Address:      48:2A:E3:5C:9B:01

--- LNK File: update_client.exe.lnk ---
  Source:           C:\Evidence\Users\jsmith\Recent\update_client.exe.lnk
  Target Path:      C:\ProgramData\Updates\update_client.exe
  Target Created:   2024-01-15 14:34:02 UTC
  Target Modified:  2024-01-15 14:34:02 UTC
  Target Accessed:  2024-01-15 14:36:30 UTC
  File Size:        1,258,496 bytes
  Drive Type:       Fixed (C:)
  Volume Serial:    A4E7-3F21
  Machine ID:       DESKTOP-J5M1TH
  Working Dir:      C:\ProgramData\Updates
  Arguments:        --silent --no-update-check
  Run Window:       Hidden

======================================================================

$ JLECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv /analysis/jumplist_output

JLECmd v1.5.0 - Jump List Parser
==================================

Processing 23 AutomaticDestinations files...

--- Application: Microsoft Excel (AppID: 12dc1ea8e34b5a6) ---
  Entries: 15
  Most Recent:
    Entry 0:  C:\Users\jsmith\Downloads\Q4_Report.xlsm         (2024-01-15 14:35:12 UTC)
    Entry 1:  \\FILESERV01\Finance\Budget_2024.xlsx             (2024-01-14 09:22:30 UTC)
    Entry 2:  C:\Users\jsmith\Documents\Expenses\Dec2023.xlsx   (2024-01-10 16:45:00 UTC)

--- Application: Windows Explorer (AppID: f01b4d95cf55d32a) ---
  Entries: 28
  Most Recent:
    Entry 0:  C:\ProgramData\Updates\                           (2024-01-15 14:36:25 UTC)
    Entry 1:  E:\Backup\                                        (2024-01-15 15:30:00 UTC)
    Entry 2:  \\FILESERV01\HR\Employees\                        (2024-01-15 16:12:45 UTC)

--- Application: cmd.exe (AppID: 9b9cdc69c1c24e2b) ---
  Entries: 5
  Most Recent:
    Entry 0:  C:\Windows\System32\cmd.exe                       (2024-01-15 14:36:00 UTC)

Summary:
  Total LNK files processed:    47
  Total Jump List entries:       156
  Suspicious artifacts:          3 (hidden window execution, USB drive access, network shares)
  CSV exported to:               /analysis/lnk_output/ and /analysis/jumplist_output/
how to use analyzing-lnk-file-and-jump-list-artifacts

How to use analyzing-lnk-file-and-jump-list-artifacts on Cursor

AI-first code editor with Composer

1

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

  • Cursor installed and configured on your development machine
  • Node.js version 16.0+ with npm package manager (verify with node --version)
  • Active project directory or workspace where you want to add analyzing-lnk-file-and-jump-list-artifacts
2

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/analyzing-lnk-file-and-jump-list-artifacts

The skills CLI fetches analyzing-lnk-file-and-jump-list-artifacts from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

3

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?
│ ── Universal (.agents/skills) ── always included ────
│ • Amp
│ • Antigravity
│ • Cline
│ • Codex
│ ●Cursor(selected)
│ • Cursor
│ • Windsurf
4

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/analyzing-lnk-file-and-jump-list-artifacts

Reload or restart Cursor to activate analyzing-lnk-file-and-jump-list-artifacts. Access the skill through slash commands (e.g., /analyzing-lnk-file-and-jump-list-artifacts) or your agent's skill management interface.

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

View source code on GitHubSkills CLI documentationLearn more about CursorWhat are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

Improve work quality by 30-40% with less effort

Implementation Guide

Prerequisites

  • Claude Desktop or compatible AI client with skill support
  • Clear understanding of task or problem to solve
  • Willingness to iterate and refine outputs

Time Estimate

15-45 minutes depending on use case complexity

Installation Steps

  1. 1.Install skill using provided installation command
  2. 2.Test with simple use case relevant to your work
  3. 3.Evaluate output quality and relevance
  4. 4.Iterate on prompts to improve results
  5. 5.Integrate into regular workflow if valuable

Common Pitfalls

  • Expecting perfect results without iteration
  • Not providing enough context in prompts
  • Using skill for tasks outside its intended scope
  • Accepting outputs without review and validation

Best Practices

✓ Do

  • +Start with clear, specific prompts
  • +Provide relevant context and constraints
  • +Review and refine all outputs before using
  • +Iterate to improve output quality
  • +Document successful prompt patterns

✗ Don't

  • Don't use without understanding skill limitations
  • Don't skip validation of outputs
  • Don't share sensitive information in prompts
  • Don't expect skill to replace human judgment

💡 Pro Tips

  • Be specific about desired format and style
  • Ask for multiple options to choose from
  • Request explanations to understand reasoning
  • Combine AI efficiency with human expertise

When to Use This

✓ Use When

Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.

✗ Avoid When

Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.

Learning Path

  1. 1Familiarize yourself with skill capabilities and limitations
  2. 2Start with low-risk, non-critical tasks
  3. 3Progress to more complex and valuable use cases
  4. 4Build expertise through regular use and experimentation

Discussion

Product Hunt–style comments (not star reviews)
  • No comments yet — start the thread.
general reviews

Ratings

4.653 reviews
  • Noor Harris· Dec 24, 2024

    analyzing-lnk-file-and-jump-list-artifacts fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Ama Robinson· Dec 16, 2024

    Registry listing for analyzing-lnk-file-and-jump-list-artifacts matched our evaluation — installs cleanly and behaves as described in the markdown.

  • Chen Wang· Dec 12, 2024

    analyzing-lnk-file-and-jump-list-artifacts is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.

  • Aditi Verma· Dec 8, 2024

    Solid pick for teams standardizing on skills: analyzing-lnk-file-and-jump-list-artifacts is focused, and the summary matches what you get after install.

  • Noor Malhotra· Nov 27, 2024

    analyzing-lnk-file-and-jump-list-artifacts is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.

  • Noah Mensah· Nov 15, 2024

    analyzing-lnk-file-and-jump-list-artifacts fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Ama Choi· Nov 7, 2024

    Useful defaults in analyzing-lnk-file-and-jump-list-artifacts — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

  • Noah Okafor· Nov 3, 2024

    Solid pick for teams standardizing on skills: analyzing-lnk-file-and-jump-list-artifacts is focused, and the summary matches what you get after install.

  • Noor Taylor· Nov 3, 2024

    We added analyzing-lnk-file-and-jump-list-artifacts from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

  • Noah Gupta· Oct 22, 2024

    analyzing-lnk-file-and-jump-list-artifacts has been reliable in day-to-day use. Documentation quality is above average for community skills.

showing 1-10 of 53

1 / 6