How do I clear Jump Lists in Windows 10 or 11?

Open Settings, go to Personalization then Start, and toggle off 'Show recently opened items in Jump Lists on Start, Jump Lists and File Explorer.'

Can I delete Jump List files manually?

Yes — they live in %AppData%\Microsoft\Windows\Recent\AutomaticDestinations and CustomDestinations, but most files are locked by explorer.exe while the shell is running, so close Explorer or boot from another OS first.

Does clearing Jump Lists remove all forensic evidence?

No. Deleted files can persist in Volume Shadow Copies, the USN journal, and $MFT records, and related artifacts like LNK files, Prefetch, and ShellBags often survive.

How do I disable Jump Lists entirely?

Use the Group Policy setting 'Do not keep history of recently opened documents' under User Configuration → Administrative Templates → Start Menu and Taskbar.

How to Clear or Delete Windows Jump Lists

There are three practical ways to clear Windows Jump Lists: toggle them off in the Settings UI, delete the underlying files in %AppData%, or disable them through Group Policy or the registry. Each gets rid of what the user sees in the taskbar and Start menu, but "cleared" is not the same as "gone" — the on-disk artifacts and their neighbours often outlive the click.

Clear via Settings (Win 10 / 11)

Open Settings → Personalization → Start and turn off "Show recently opened items in Jump Lists on Start, Jump Lists and File Explorer." Windows will hide the recents in the taskbar and Start menu, and on most builds it also removes the existing *.automaticDestinations-ms and *.customDestinations-ms files under Recent\.

For a single entry, right-click the item in the application's Jump List and choose "Remove from this list." That rewrites the host file in place — the specific stream is dropped from the OLE container and its DestList entry is removed.

Delete the files directly

The files live under:

%AppData%\Microsoft\Windows\Recent\AutomaticDestinations\
%AppData%\Microsoft\Windows\Recent\CustomDestinations\

Each filename is the application's AppID followed by the relevant extension. You can delete them like any other file, with one catch: while explorer.exe is running, the shell holds open handles on the AppIDs for applications currently pinned or recently used, so deletion will fail with a sharing violation. The pragmatic options are to sign the user out (which releases the handles), kill and restart explorer.exe, or mount the volume from another OS or a WinPE environment and delete from there.

Disable via Group Policy / registry

To stop Windows from recording Jump List entries in the first place, enable:

User Configuration → Administrative Templates → Start Menu and Taskbar → "Do not keep history of recently opened documents."

The equivalent registry value is:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoRecentDocsHistory  REG_DWORD  = 1

With the policy on, the shell stops writing new entries to AutomaticDestinations and stops updating DestList timestamps. Existing files are left untouched until the user clears them.

What "cleared" really means forensically

Deleting the Jump List files removes the live artifacts, but a competent examiner is not looking only at the live filesystem. Common residues:

Volume Shadow Copies — older snapshots will still contain the pre-deletion .automaticDestinations-ms files, often months back.
USN journal — $UsnJrnl:$J records the create/delete of each Jump List file, with timestamps.
$MFT records — entries for deleted Jump List files remain until overwritten, and resident data in small files may still be recoverable.
Related artifacts — LNK files in Recent\, Prefetch, ShellBags, the RecentDocs registry keys, and browser history all corroborate the same user activity from different angles.

The moment the user opens another tracked item, Windows writes a fresh AutomaticDestinations file for that AppID and starts a new DestList. A suspiciously empty Recent\ directory is itself a finding.

For an analyst working a "they cleared their tracks" case, see the DFIR walkthrough.