Jump List Parser
Back to blog

Jump List Parser Tools Compared (2026)

2026-05-254 min read

Pick one of three things: a CLI, a GUI, or a browser. Then check whether you can install software on the analyst box, and whether the artifact is allowed to leave that box at all. The four tools below cover the combinations that actually come up in casework. Everything else is a wrapper around one of them.

JLECmd (Eric Zimmerman)

The de-facto standard for command-line Jump List parsing. It handles both *.automaticDestinations-ms and *.customDestinations-ms, walks the DestList stream, decodes every embedded LNK stream, and emits CSV or JSON. Fast, scriptable, and the thing every KAPE module ends up wrapping. The output schema is essentially the industry standard — third-party tooling targets JLECmd's column names because that is what review pipelines expect.

The AppID list shipped alongside it is the other reason to keep JLECmd in your toolkit. It is the closest thing the community has to a canonical AppID-to-application map, and you will reach for it on every triage.

Trade-off: Windows .NET binary, no GUI. You read output in a spreadsheet or hand it to another tool. There is no clicking through entries.

JumpListExplorer (Eric Zimmerman)

The GUI sibling to JLECmd. Load a file or a folder, click through parsed entries, LNK fields, FILETIMEs, and the DestList ordering. Same parsing engine as JLECmd, so decoding is consistent between the two. This is the right tool when you are sitting at a Windows analyst workstation and want to read entries the way you would read email — slowly, with right-click context.

Trade-off: Windows-only, requires install, not built for batch processing. Use JLECmd for that.

Jumplist-Browser (kacos2000)

An open-source PowerShell viewer hosted on GitHub. It exposes the raw structures inside a Jump List — the MS-CFB streams, the DestList records, the embedded MS-SHLLINK substreams — in a way that is honest about what is actually in the file rather than presenting a normalised view of it. Reading the PowerShell is also a decent way to learn the format if you came in cold.

Trade-off: Windows and PowerShell only. The interface is closer to a research tool than a polished analyst GUI. You will live in it briefly to understand a weird file, then go back to JLECmd or this site.

Jump List Parser (this site)

A Rust parser compiled to WebAssembly that runs entirely in the browser. Nothing to install, works on Windows, macOS and Linux. The file decodes locally — it never leaves the machine, which matters for chain of custody and for handling artifacts you cannot upload to a third-party service. The output covers what an analyst actually wants: the AppID, every DestList row with hostname and FILETIME, every embedded LNK's full field set including the TrackerDataBlock droid GUID.

Trade-off: built for ad-hoc and triage parsing, not unattended batch processing of large directories. For pipeline work, JLECmd is the right fit.

When to use which

  • JLECmd — batch processing of Jump Lists into CSV or JSON, KAPE modules, anywhere you wire parsing into a pipeline.
  • JumpListExplorer — Windows analyst workstation, interactive deep dive, comfortable reading.
  • Jump List Parser (browser) — Mac or Linux box, single-file triage, artifact that policy forbids uploading, quick second opinion on a JLECmd result.
  • Jumplist-Browser (kacos2000) — you want to see the raw streams, or you are learning the format and trust comes from reading the parser.

All four are free. There is no single "best". The right pick is the one whose constraints match the box you are sitting at. Try the browser parser if you want zero install.

Further reading