Unified binary stream mapping for modern Version 4 entries in Windows 11.
Select any field in the map to reveal a deep forensic dive.
Automatic Jump Lists (.automaticDestinations-ms) are OLE Compound File Binary (CFB) containers used by Windows to track user productivity. They act like a mini-filesystem inside a single file.
Why Microsoft Created Them: To power the "Recent" and "Frequent" Taskbar categories. Instead of scanning the drive, Windows caches these links to provide immediate access to the user's workflow.
Forensic Value: They provide proof of file interaction, usage frequency, and exact target paths, even for deleted or wiped files. They are a master record of user activity.
| Offset | Size | Field Name | Forensic Meaning & Value |
|---|
| Offset | Field Name | Meaning |
|---|---|---|
| 0x00 - 0x03 | Version Number | Determines layout: 1 (Win 7/8), 3 (Win 10), 4 (Win 11). |
| 0x04 - 0x07 | Total Current Entries | Number of items currently tracked in the jump list. |
| 0x08 - 0x0B | Total Pinned Entries | Number of explicitly pinned items (never age out). |
| 0x10 - 0x17 | Last Issued ID | Total lifetime entries ever assigned (monotonically increasing). |
| 0x18 - 0x1F | Number of Actions | Total lifetime interactions across all items. |
Unlike Custom Destinations which are purely sequential LNKs, Automatic Destinations contain a central DestList index stream containing massive forensic value not found inside the individual embedded LNKs.
| Key Field | Forensic Value |
|---|---|
| Object UUIDs | Birth/New UUIDs trace file moves across volumes and encode the creator's MAC address. |
| NetBIOS Name | Records the %COMPUTERNAME% where the entry was created. Vital for attribution. |
| Last Access Time | Definitive event timestamp for jump list interaction, independent of LNK file times. |
| Access Counter | Frequency metric separating habitual working documents from single-use execution artifacts. |
The Application Identity (AppID) is not explicitly stored inside the Automatic Destinations format. The filename itself is the hex representation of the AppID (e.g., 1b4dd67f29cb1962.automaticDestinations-ms).
| AppID Hash | Target Application |
|---|---|
| 1b4dd67f29cb1962 | Windows Explorer |
| f01b4d95cf55d32a | Command Prompt (cmd.exe) |
| 5d696d521ea23821 | Google Chrome |
Crow-Eye parses every AutomaticDestinations file — the DestList stream and its embedded LNKs — into a clean per-application file-access timeline, with no manual OLE compound-file carving.
Download Crow-Eye