The definitive forensic guide to the MS-SHLLINK Shell Link format used across Windows.
Select any field in the map to reveal a deep forensic dive.
Windows maintains three distinct artifact types that record file and application access history. All three share a common underlying structure — the Shell Link (LNK) binary format — but they wrap it in different containers and enrich it with different metadata layers:
\Recent\.This page focuses on the core LNK binary payload found inside all three containers.
| Offset | Size | Field Name | Forensic Meaning & Value |
|---|
| Signature | Block Name | Significance |
|---|---|---|
| 0xA0000003 | TrackerDataBlock | Contains Machine NetBIOS, MAC Address, & Droid GUIDs. |
| 0xA0000009 | PropertyStoreBlock | Serialized metadata (Author, Last_Author, Title, EXIF). |
| 0xA0000001 | EnvironmentVarBlock | Target paths using variables like %APPDATA%. |
| 0xA0000006 | DarwinDataBlock | Windows Installer (MSI) application component ID. |
| 0xA000000B | KnownFolderBlock | System folder GUID (e.g. Startup, Downloads). |
| 0xA0000002 | ConsoleDataBlock | Command prompt styling; reveals hidden 1x1 shell execution. |
| 0xA0000008 | ShimDataBlock | Applied Compatibility Shims (.sdb) - possible persistence. |
| Mask | Flag | Forensic Result |
|---|---|---|
| 0x0001 | HasTargetIDList | Enables the IDList section containing Shell breadcrumbs & MFT references. |
| 0x0002 | HasLinkInfo | Enables LinkInfo section containing Volume Serial Numbers & Local Paths. |
| 0x0020 | HasArguments | Enables StringData containing command-line arguments (critical for malware). |
| 0x0080 | IsUnicode | Indicates StringData blocks are UTF-16LE encoded. |
You've just dissected a Shell Link byte by byte. Crow-Eye does this across the whole evidence set automatically — recovering target paths, the three MAC timestamps, the tracker block's machine ID & NIC MAC address, and the full Shell IDList — and lays them on a timeline.
Download Crow-Eye