Jump List Parser
Back to blog

Where Windows Stores Jump List Files (Win 7, 10, 11)

2026-05-253 min read

Short answer. Two per-user folders under the Roaming profile: %AppData%\Microsoft\Windows\Recent\AutomaticDestinations\ and %AppData%\Microsoft\Windows\Recent\CustomDestinations\. These paths are identical on Windows 7, 8, 10 and 11. The same collection script has worked unchanged for a decade and a half.

AutomaticDestinations

Written by the shell itself when a user opens a document through a registered application:

%AppData%\Microsoft\Windows\Recent\AutomaticDestinations\

Resolved: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\. Each filename is <AppID>.automaticDestinations-ms where <AppID> is a 16-character lowercase hex string. The file is an OLE Compound File (MS-CFB) whose numbered streams are LNK structures, ordered by a single DestList stream.

CustomDestinations

Written by the application via the ICustomDestinationList COM API for its own pinned items and custom categories (Tasks, Recent, app-named groups):

%AppData%\Microsoft\Windows\Recent\CustomDestinations\

Same naming convention: <AppID>.customDestinations-ms. The format is a flat sequence of LNK structures preceded by a small header, terminated by 0xBABFFBAB. No OLE container.

Per-user, not per-machine

Both directories live under AppData\Roaming and roam with the profile. There is no machine-wide Jump List store. On a live host, echo %AppData% resolves to the current user; on a mounted image, walk \Users\ and map each profile folder to its SID via HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID> in the registry if you need to tie activity back to an account.

On a forensic image

Pull the whole Recent\ tree per user:

\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\
\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\

The parent Recent\ folder also holds classic .lnk shortcuts — useful corroboration but a separate artifact. The two *Destinations subfolders have existed unchanged since Windows 7, so one collection script covers every supported version. KAPE has a target for this if you would rather not write your own.

On a live system, expect explorer.exe to hold open handles. Collect from a Volume Shadow Copy (\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyN\…), from a forensic image, or by signing the user out first. The Recent\ folder also gets touched by the USN journal and the MFT, both of which are worth pulling at the same time — the create and delete events for Jump List files often outlive the files themselves.

What the AppID actually is

The filename prefix is a 16-character lowercase hex string — for example 1b4dd67f29cb1962 (Quick Access on modern Windows). It is a truncated CRC64 hash computed over the application's executable path, sometimes with additional identifying data mixed in. Same binary at the same path produces the same AppID on every machine, which is why published AppID lists work. Shipping AppID maps from JLECmd cover most well-known applications; for anything unmapped, the AppID is a lead, not noise.

Two consequences of the AppID derivation:

  • Move or rename the executable and the AppID changes. The old Jump List file stays in the folder, orphaned, with a stale AppID that no longer maps to any installed binary. That orphan is itself worth a look.
  • The same application installed at the same path on two machines produces the same AppID on both, but the contents are per-user. AppID alone does not attribute the activity — pair it with the user profile path.

Quick acquisition checklist

  • Image or mount the volume; do not copy live with plain xcopy.
  • Walk \Users\ and collect both *Destinations\ folders per user.
  • Pull the parent Recent\ folder for the standalone .lnk files.
  • Pull \Users\<user>\NTUSER.DAT for the matching UserAssist and RecentDocs keys.
  • Note any unexpected AppIDs and any folders empty of older files — both are findings.

For the on-disk byte layout of these files, see the AutomaticDestinations file format breakdown.

Further reading