How to Clear or Delete Windows Jump Lists
Three ways to do it: the Settings toggle, deleting the files directly, or disabling the feature via policy. All three remove what the user sees in the taskbar. None of them remove the trail. If you came here to scrub your history before handing back a laptop, read the last section first.
Clear via Settings (Win 10 / 11)
Settings → Personalization → Start → toggle off "Show recently opened items in Jump Lists on Start, Jump Lists and File Explorer." Windows hides the recents in the taskbar and Start menu. On most builds it also deletes the existing *.automaticDestinations-ms and *.customDestinations-ms files in AppData\Roaming\Microsoft\Windows\Recent\. On a handful of older builds, it only hides them. Confirm by listing the folder afterwards.
For a single entry, right-click the item in the application's Jump List and pick "Remove from this list." That rewrites the host file in place: the numbered LNK stream is removed from the OLE container, the matching DestList row is dropped, and the header's entry count and revision number tick.
Delete the files directly
The two folders are:
%AppData%\Microsoft\Windows\Recent\AutomaticDestinations\%AppData%\Microsoft\Windows\Recent\CustomDestinations\
Each filename is <AppID>.automaticDestinations-ms or <AppID>.customDestinations-ms. The AppID is a 16-character lowercase hex string derived from a truncated CRC64 of the executable path. Same binary at the same path produces the same AppID on every machine, which is why the AppID list shipped with Eric Zimmerman's JLECmd works.
The catch: while explorer.exe is running, the shell holds open handles on the AppIDs for any application currently pinned or recently used. Plain delete fails with a sharing violation. Three options that actually work:
- Sign the user out (releases the handles), sign back in, delete from another account or from an admin shell.
- Kill and restart
explorer.exe. Crude, but it works. - Mount the volume from WinPE or another OS and delete from there.
Disable via Group Policy or registry
To stop Windows from writing new entries at all:
User Configuration → Administrative Templates → Start Menu and Taskbar → "Do not keep history of recently opened documents."
Equivalent registry value:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRecentDocsHistory REG_DWORD = 1
With that policy on, the shell stops writing new entries to AutomaticDestinations and stops updating DestList timestamps. Existing files are left untouched until something clears them. The policy itself is itself a finding — it leaves a fingerprint in the registry that a competent examiner will spot before they ever look at Recent\.
What "cleared" really means forensically
This is the part most "how to clear your tracks" articles skip. Deleting the live Jump List files removes one artifact. A competent examiner is not looking only at the live filesystem.
Residues that survive a clear:
- Volume Shadow Copies — older snapshots still contain the pre-deletion
.automaticDestinations-msfiles, often months back.vssadmin list shadowsenumerates them;mklink /dmounts each. - USN journal —
$UsnJrnl:$Jrecords the create, delete and rename of every Jump List file with reason codes and timestamps. The delete itself is logged. - $MFT records — entries for deleted Jump List files persist until overwritten. Small files (under ~700 bytes) can be resident in the MFT record itself and recoverable wholesale.
- Sister artifacts — LNK files in
Recent\, Prefetch, ShellBags, RecentDocs in NTUSER.DAT, and browser history corroborate the same user activity from different angles. Wiping Jump Lists alone leaves all of them intact. - ShimCache and AmCache — record program execution at the machine level, untouched by clearing user-mode MRUs.
- SRUM — application resource usage continues to log network and CPU activity per executable.
There is also the giveaway nobody plans for: the moment the user opens the next tracked item, Windows writes a fresh AutomaticDestinations file for that AppID and starts a new DestList. A Recent\ directory whose timestamps and DestList versions all cluster around the same recent date — with no older content — is itself the finding. Examiners read absence as evidence.
If you have a "they cleared their tracks" case to work, the DFIR walkthrough is the next read.
Further reading
- Eric Zimmerman, JLECmd — the offline tool whose AppID list is the de-facto standard.
- Microsoft's Group Policy reference for the document history setting.
- For correlating the clear event with system activity, the EVTX parser, USN journal parser, and recycle bin parser.