Login

u/LowAvailable3056

▲ 0 r/WindowsHelp

Context/Goal
I am currently finalizing a paper on Windows Shell artifact generation and wanted to share some experimental findings regarding the interaction between applications and `shell32.dll`. My goal is to understand why command-line interfaces (CLIs) like `CMD` and `PowerShell` do not generate Jump Lists.

Problem/Observation
Standard file operations performed via `CMD` or `PowerShell` do not result in updates to `AutomaticDestinations` or the `Recent folder`, making them forensically "invisible" to these artifacts.

Experimental Steps

  1. Using `ProcMon`, I confirmed that standard file operations (e.g., `mkdir`, `echo`, `New-Item`) executed through `CMD` or `PowerShell` generate zero updates to `AutomaticDestinations` or the `Recent folder`.
  2. I wiped all `*.automaticDestinations-ms` files. Creating files via the CLI did not trigger a re-initialization of these files.
  3. I manually invoked the Win32 API `SHAddToRecentDocs` within a PowerShell session using the following C# P/Invoke signature: Code:public static extern void SHAddToRecentDocs(uint flags, string path);

Results/Observations
When `SHAddToRecentDocs` was manually invoked, `ProcMon` captured `powershell.exe` interacting with `explorer.exe`. `explorer.exe` then acted as the "clerk" to write the `LNK` and Jump List files.

Conclusion
CLI tools are forensically "invisible" to Jump List and Recent folder artifacts because they lack a static dependency on `shell32.dll` and do not perform the necessary notification required by the Shell. This confirms that the absence of a Jump List entry does not necessarily mean no activity occurred.

Questions for the Community

  1. Has anyone observed modern CLI tools (such as `Windows Terminal` or specific 3rd party shells) that do explicitly call the `SHAddToRecentDocs` API?

I am looking forward to any insights or critiques before I submit the final paper.

 

Windows Build/Version

Windows 11 Home 25H2 26200.8246

I apologize if this isn't right community. I would appreciate if you would point me to correct subreddit if that is the case.

reddit.com
u/LowAvailable3056 — 11 days ago