Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionanalyzing-lnk-file-and-jump-list-artifactsExecute the skills CLI command in your project's root directory to begin installation:
Fetches analyzing-lnk-file-and-jump-list-artifacts from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate analyzing-lnk-file-and-jump-list-artifacts. Access via /analyzing-lnk-file-and-jump-list-artifacts in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | analyzing-lnk-file-and-jump-list-artifacts |
| description | Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format. |
| domain | cybersecurity |
| subdomain | digital-forensics |
| tags | - lnk-files - jump-lists - lecmd - jlecmd - windows-forensics - shell-link - user-activity - file-access - program-execution - recent-files |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - RS.AN-01 - RS.AN-03 - DE.AE-02 - RS.MA-01 |
Windows LNK (shortcut) files and Jump Lists are critical forensic artifacts that provide evidence of file access, program execution, and user behavior. LNK files are created automatically when a user opens a file through Windows Explorer or the Open/Save dialog, storing metadata about the target file including its original path, timestamps, volume serial number, NetBIOS name, and MAC address of the host system. Jump Lists, introduced in Windows 7, extend this by maintaining per-application lists of recently and frequently accessed files. These artifacts persist even after the target files are deleted, making them invaluable for establishing that a user accessed specific files at specific times.
| Location | Description |
|---|---|
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\ | Recent files accessed |
%USERPROFILE%\Desktop\ | User-created shortcuts |
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\ | Start Menu shortcuts |
%USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent\ | Office recent documents |
| Offset | Size | Field |
|---|---|---|
| 0x00 | 4 | HeaderSize (always 0x0000004C) |
| 0x04 | 16 | LinkCLSID (always 00021401-0000-0000-C000-000000000046) |
| 0x14 | 4 | LinkFlags |
| 0x18 | 4 | FileAttributes |
| 0x1C | 8 | CreationTime (FILETIME) |
| 0x24 | 8 | AccessTime (FILETIME) |
| 0x2C | 8 | WriteTime (FILETIME) |
| 0x34 | 4 | FileSize of target |
| 0x38 | 4 | IconIndex |
| 0x3C | 4 | ShowCommand |
| 0x40 | 2 | HotKey |
# Parse all LNK files in Recent folder
LECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent" --csv C:\Output --csvf lnk_analysis.csv
# Parse a single LNK file with full details
LECmd.exe -f "C:\Evidence\Users\suspect\Desktop\Confidential.docx.lnk" --json C:\Output
# Parse LNK files with additional detail levels
LECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent" --csv C:\Output --csvf lnk_all.csv --all
# Parse Automatic Jump Lists
JLECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv C:\Output --csvf jumplists_auto.csv
# Parse Custom Jump Lists
JLECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations" --csv C:\Output --csvf jumplists_custom.csv
# Parse all jump lists with detailed output
JLECmd.exe -d "C:\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv C:\Output --csvf jumplists_auto.csv --ld
These are OLE Compound files (Structured Storage) identified by AppID hash in the filename:
| AppID Hash | Application |
|---|---|
| 5f7b5f1e01b83767 | Windows Explorer Pinned/Frequent |
| 1b4dd67f29cb1962 | Windows Explorer Recent |
| 9b9cdc69c1c24e2b | Notepad |
| a7bd71699cd38d1c | Notepad++ |
| 12dc1ea8e34b5a6 | Microsoft Paint |
| 7e4dca80246863e3 | Control Panel |
| 1cf97c38a5881255 | Microsoft Edge |
| f01b4d95cf55d32a | Windows Explorer |
| 9d1f905ce5044aee | Microsoft Excel |
| a4a5324453625195 | Microsoft Word |
| d00655d2aa12ff6d | Microsoft PowerPoint |
| bc03160ee1a59fc1 | Outlook |
Created when users pin items to application jump lists. These files contain sequential LNK entries.
import struct
import os
from datetime import datetime, timedelta
FILETIME_EPOCH = datetime(1601, 1, 1)
def filetime_to_datetime(filetime_bytes: bytes) -> datetime:
"""Convert Windows FILETIME (100-ns intervals since 1601) to datetime."""
ft = struct.unpack("<Q", filetime_bytes)[0]
if ft == 0:
return None
return FILETIME_EPOCH + timedelta(microseconds=ft // 10)
def parse_lnk_header(lnk_path: str) -> dict:
"""Parse the Shell Link header from an LNK file."""
with open(lnk_path, "rb") as f:
header = f.read(76)
header_size = struct.unpack("<I", header[0:4])[0]
if header_size != 0x4C:
return {"error": "Invalid LNK header"}
link_flags = struct.unpack("<I", header[0x14:0x18])[0]
file_attrs = struct.unpack("<I", header[0x18:0x1C])[0]
result = {
"header_size": header_size,
"link_flags": hex(link_flags),
"file_attributes": hex(file_attrs),
"creation_time": filetime_to_datetime(header[0x1C:0x24]),
"access_time": filetime_to_datetime(header[0x24:0x2C]),
"write_time": filetime_to_datetime(header[0x2C:0x34]),
"file_size": struct.unpack("<I", header[0x34:0x38])[0],
"has_target_id_list": bool(link_flags & 0x01),
"has_link_info": bool(link_flags & 0x02),
"has_name": bool(link_flags & 0x04),
"has_relative_path": bool(link_flags & 0x08),
"has_working_dir": bool(link_flags & 0x10),
"has_arguments": bool(link_flags & 0x20),
"has_icon_location": bool(link_flags & 0x40),
}
return result
Recent research (IEEE 2025) shows that Windows 11 produces different LNK and Jump List artifacts:
$ LECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent" --csv /analysis/lnk_output
LECmd v1.11.0 - LNK File Parser
================================
Processing 47 LNK files...
--- LNK File: Q4_Report.xlsx.lnk ---
Source: C:\Evidence\Users\jsmith\Recent\Q4_Report.xlsx.lnk
Target Path: C:\Users\jsmith\Downloads\Q4_Report.xlsm
Target Created: 2024-01-15 14:33:45 UTC
Target Modified: 2024-01-15 14:33:45 UTC
Target Accessed: 2024-01-15 14:35:12 UTC
File Size: 251,904 bytes
Drive Type: Fixed (C:)
Volume Serial: A4E7-3F21
Machine ID: DESKTOP-J5M1TH
MAC Address: 48:2A:E3:5C:9B:01
--- LNK File: update_client.exe.lnk ---
Source: C:\Evidence\Users\jsmith\Recent\update_client.exe.lnk
Target Path: C:\ProgramData\Updates\update_client.exe
Target Created: 2024-01-15 14:34:02 UTC
Target Modified: 2024-01-15 14:34:02 UTC
Target Accessed: 2024-01-15 14:36:30 UTC
File Size: 1,258,496 bytes
Drive Type: Fixed (C:)
Volume Serial: A4E7-3F21
Machine ID: DESKTOP-J5M1TH
Working Dir: C:\ProgramData\Updates
Arguments: --silent --no-update-check
Run Window: Hidden
======================================================================
$ JLECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv /analysis/jumplist_output
JLECmd v1.5.0 - Jump List Parser
==================================
Processing 23 AutomaticDestinations files...
--- Application: Microsoft Excel (AppID: 12dc1ea8e34b5a6) ---
Entries: 15
Most Recent:
Entry 0: C:\Users\jsmith\Downloads\Q4_Report.xlsm (2024-01-15 14:35:12 UTC)
Entry 1: \\FILESERV01\Finance\Budget_2024.xlsx (2024-01-14 09:22:30 UTC)
Entry 2: C:\Users\jsmith\Documents\Expenses\Dec2023.xlsx (2024-01-10 16:45:00 UTC)
--- Application: Windows Explorer (AppID: f01b4d95cf55d32a) ---
Entries: 28
Most Recent:
Entry 0: C:\ProgramData\Updates\ (2024-01-15 14:36:25 UTC)
Entry 1: E:\Backup\ (2024-01-15 15:30:00 UTC)
Entry 2: \\FILESERV01\HR\Employees\ (2024-01-15 16:12:45 UTC)
--- Application: cmd.exe (AppID: 9b9cdc69c1c24e2b) ---
Entries: 5
Most Recent:
Entry 0: C:\Windows\System32\cmd.exe (2024-01-15 14:36:00 UTC)
Summary:
Total LNK files processed: 47
Total Jump List entries: 156
Suspicious artifacts: 3 (hidden window execution, USB drive access, network shares)
CSV exported to: /analysis/lnk_output/ and /analysis/jumplist_output/
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
analyzing-lnk-file-and-jump-list-artifacts fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Registry listing for analyzing-lnk-file-and-jump-list-artifacts matched our evaluation — installs cleanly and behaves as described in the markdown.
analyzing-lnk-file-and-jump-list-artifacts is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Solid pick for teams standardizing on skills: analyzing-lnk-file-and-jump-list-artifacts is focused, and the summary matches what you get after install.
analyzing-lnk-file-and-jump-list-artifacts is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
analyzing-lnk-file-and-jump-list-artifacts fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Useful defaults in analyzing-lnk-file-and-jump-list-artifacts — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Solid pick for teams standardizing on skills: analyzing-lnk-file-and-jump-list-artifacts is focused, and the summary matches what you get after install.
We added analyzing-lnk-file-and-jump-list-artifacts from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
analyzing-lnk-file-and-jump-list-artifacts has been reliable in day-to-day use. Documentation quality is above average for community skills.
showing 1-10 of 53