Recent Items ( shell:recent )

    • Purpose: This special shell folder stores shortcuts (.lnk files) pointing to files and folders that the user has recently opened or accessed through standard Windows interactions (e.g., opening a file in an application, saving a document). Its functionality and population depend on Windows settings related to tracking recent items.

    • Location: The folder resides at C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent. It can be quickly accessed via the Run dialog (Win+R) by typing shell:recent and pressing Enter.

    • File Format: Contains .lnk (shortcut) files. Each .lnk file contains metadata pointing to the original target file or folder (the "linked item"), including its path and potentially timestamps related to the target's creation/modification/access (stored within the shortcut itself) and the shortcut's own creation/modification time.

    • Forensic Value:

      • Provides valuable context about the user's recent activities and interactions with specific files, applications, or storage locations.

      • While finding direct evidence of cheats (like a .dll shortcut appearing here) is less common in modern scenarios and sometimes considered a somewhat "deprecated" primary detection method, the presence of shortcuts to unusual locations, temporary files, or recently downloaded archives can corroborate findings from other artifacts.

      • It helps build a narrative of user actions.

    • Related Artifacts & Clearing: The shell:recent folder's contents are closely linked to:

      • Jump Lists: These provide recently accessed items per application, accessible by right-clicking icons on the taskbar or in the Start menu. Jump List data is stored separately in .automaticDestinations-ms and .customDestinations-ms files located within %AppData%\Microsoft\Windows\Recent\AutomaticDestinations\ and CustomDestinations\. Clearing shell:recent does not necessarily clear Jump List data.

      • RecentDocs Registry Keys: Located under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs. Clearing these registry keys often (but not always) results in the clearing of the shell:recent folder content. Evidence of clearing these keys (e.g., via reg.exe usage logs) can be suspicious.

PreviousTemporary Files ( %temp% )NextRecycle Bin ( C:$Recycle.bin )

Last updated