Intro to Jump Lists

Jump Lists were introduced in the Windows 7 Taskbar and the users can add and remove the items. These can be seen from when right clicking an application on the taskbar, and they contain the most frequently used, most recently used, and pinned items for that application.

This information is solely based on the application and depends on what the application does and is per user (stored within the user profile).

Features

They list MRU (Most Recently Used) or MFU (Most Frequently Used) items organized by application and the lists can retain several hundred items and the items may remain on a list after their target is deleted form the volume.

Technically the items can be deleted from the lists, but deletions can be detected.

Item Types

- Destinations (depends on what type of application): Pinned, Known (depends on locations) and Custom category
- Tasks: User and Taskbar tasks

Locations

C:\Users\[profile]\AppData\Roaming\Microsoft\Windows\Recent\

They will always appear like the following:

AutomaticDestinations\[AppID].automaticDestinations-ms
CustomDestinations\[AppID].customDestinations-ms

A single application, depending on how you use the application can have two unique AppID's, but both will point back into the same application.

Custom tools need to be able to view these files, and some might not be able to be identified.

AppID: they are based on the process name or can be specified by the application, and different command arguments for the same applications may result in different AppID's. They are also the same across multiple systems.

**DISCLAIMER**: 
SOMETIMES ACTIONS ON THE COMPUTER TAKE A WHILE TO APPEAR IN THE COMPUTER LOGS. 
SYNC v2.2 WILL FLUSH ITEMS/ACTIONS IN MEMORIES TO THE DISK, OR YOU CAN COLD BOOT OR REBOOT THE MACHINE

Files

Automatic Destination File There are two different structures, so two different parsers are needed to read the files. Custom Destination File = LNK files