What is a Windows Jump List?

A per-application list of recently and frequently opened items, introduced in Windows 7. For forensic analysts, Jump Lists record which files a user opened, when, and from which host.

Where are Jump List files stored on disk?

Under %AppData%\Microsoft\Windows\Recent\AutomaticDestinations and %AppData%\Microsoft\Windows\Recent\CustomDestinations. Each file is named after the AppID of the application that created it.

What is the difference between AutomaticDestinations and CustomDestinations?

AutomaticDestinations files are OLE Compound Files where each numbered stream is an LNK and a DestList stream orders them with timestamps. CustomDestinations files are application-defined categories containing a sequence of LNK structures.

Is uploading a Jump List file to an online parser safe?

Most online parsers upload your artifact to a server, which can break the chain of custody. The Jump List Parser tool runs entirely in your browser using WebAssembly, so the file never leaves your machine.

Understanding Windows Jump Lists

Jump Lists were introduced in Windows 7 to give users quick access to recently and frequently used files per application. For a forensic analyst, they are a rich record of user activity: which files were opened, when, and from where.

If you're new to the topic, start with the beginner-level primer on Windows Jump Lists.

Two file types

AutomaticDestinations (*.automaticDestinations-ms) — an OLE Compound File. Each numbered stream is a Windows shell link (LNK), and a DestList stream orders them and records access timestamps and the originating hostname.
CustomDestinations (*.customDestinations-ms) — application-defined categories containing a sequence of LNK structures.

Both live under %AppData%\Microsoft\Windows\Recent\(Automatic|Custom)Destinations\ — see where Windows stores Jump List files for the per-user paths, AppID naming convention, and how to acquire the files from a forensic image.

Why parse them in the browser?

For investigations, the chain of custody matters. This tool compiles a Rust parser to WebAssembly and runs it entirely client-side — the artifact never leaves your machine, and there is no server to log it. For a side-by-side look at the alternatives, see the Jump List parser tools comparison.

Drop a file on the home page to see the decoded entries. Need a step-by-step investigation workflow? Read the DFIR walkthrough. Trying to remove Jump List history instead? See how to clear or delete Windows Jump Lists.