Is the Jump List path different on Windows 11?

No. The same paths under %AppData%\Microsoft\Windows\Recent have been used unchanged from Windows 7 through Windows 10 and Windows 11.

Can I copy Jump List files while Windows is running?

Active files are often locked by explorer.exe. Pull them from a Volume Shadow Copy, a forensic image, or while the target user is logged off.

What is the AppID in a Jump List filename?

A 16-character hexadecimal identifier derived from the application's executable path, typically a truncated CRC64 hash, used to associate the Jump List with one application.

Where Windows Stores Jump List Files (Win 7, 10, 11)

Q: Where are Windows Jump List files located?

Under %AppData%\Microsoft\Windows\Recent\AutomaticDestinations and %AppData%\Microsoft\Windows\Recent\CustomDestinations in each user's profile.

TL;DR — Jump Lists live in two per-user directories under the Roaming profile: %AppData%\Microsoft\Windows\Recent\AutomaticDestinations\ and %AppData%\Microsoft\Windows\Recent\CustomDestinations\. These paths are identical on Windows 7, 8, 10, and 11.

AutomaticDestinations location

Files written by the shell itself when a user opens a document:

%AppData%\Microsoft\Windows\Recent\AutomaticDestinations\

Resolved, this is C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\. Each file is named <AppID>.automaticDestinations-ms, for example <AppID>.automaticDestinations-ms where <AppID> is a 16-character hex string. The file itself is an OLE Compound File whose numbered streams are LNK structures, ordered by a DestList stream.

CustomDestinations location

Files written by the application via the ICustomDestinationList API for its pinned items and custom categories ("Tasks", "Recent", etc.):

%AppData%\Microsoft\Windows\Recent\CustomDestinations\

Same naming convention: <AppID>.customDestinations-ms. The format is a flat sequence of LNK structures preceded by a small header — not an OLE Compound File.

Per-user vs per-machine

Both directories are per-user and roam with the profile (they sit under AppData\Roaming, not Local). There is no machine-wide Jump List store. On a live host you can resolve the current user with echo %AppData%; on a mounted image, walk \Users\ and map each profile folder to its SID via HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID> if you need to tie activity back to an account.

On a forensic image

Mount the image and pull the entire Recent tree per user:

\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\
\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\

The parent Recent\ folder also holds classic .lnk shortcuts — useful corroboration but a separate artifact. The two *Destinations subfolders have existed unchanged since Windows 7, so the same collection script works across Windows 7, 8.1, 10, and 11. On a live system, expect explorer.exe to hold open handles; collect from a Volume Shadow Copy (\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyN\…) or work from an image.

What an AppID looks like

The filename prefix is a 16-character lowercase hex string — for example 1b4dd67f29cb1962. It is a truncated CRC64 hash computed over the application's executable path (and, in some cases, additional identifying data), so the same binary at the same path produces the same AppID on every machine. That stability is what makes published AppID lists useful: Quick Access and other shell-pinned items use well-known, stable AppIDs that analysts can recognise on sight. Move or rename the executable and the AppID changes, leaving the old Jump List file orphaned in the folder.

For the on-disk byte layout of these files, see the file format breakdown.