Lib.rs

โ€บ Parser implementations | Filesystem
#jump-list #windows #forensics #dfir #artifact

bin+lib jumplist_parser

A Rust library to parse Windows Jumplist files (automaticDestinations-ms and customDestinations-ms)

Owned by AbdulRhman Alfaifi.

1 unstable release

0.1.0 Jul 12, 2025

#1829 in Parser implementations

MIT/Apache

93KB
1.5K SLoC

Contains (Cab file, 56KB) 5f7b5f1e01b83767.automaticDestinations-ms, (Cab file, 51KB) 5f7b5f1e01b83767.automaticDestinations-ms, (Cab file, 40KB) 5f7b5f1e01b83767.automaticDestinations-ms, (Cab file, 37KB) f01b4d95cf55d32a.automaticDestinations-ms, (Cab file, 40KB) f01b4d95cf55d32a.automaticDestinations-ms, (Cab file, 13KB) 4cb9c5750d51c07f.automaticDestinations-ms and 23 more.

Jumplist Parser

Crates.io Docs.rs License: MIT OR Apache-2.0

This repository is a Rust library and CLI tool for parsing Windows Jumplist artifacts

๐Ÿ” What Are Jumplists?

Windows Jumplists are Windows artifacts that provides quick access to recently or frequently used files per application. They are stored under:

%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\*
%APPDATA%\Microsoft\Windows\Recent\CustomDestinations\*

These files contain structured metadata such as:

  • File paths and names
  • Timestamps (last accessed, modified)
  • Hostname where files were opened
  • LNK metadata (command-line arguments, working directory, etc)
  • Pinned items
  • And many more!

Jumplists are extremely useful in incident response, timeline analysis, and user activity reconstruction. If you want to know more about this artifact, I wrote a blog post about its structure here: u0041.co

๐Ÿ“ฆ Installation

Install the commandline tool using cargo:

cargo install jumplist_parser

Once installed, you can run the binary to see available arguments:

jumplist_parser --help

Created By: AbdulRhman Alfaifi <@A__ALFAIFI>
Version: v0.1.0
Reference: https://u0041.co/posts/articals/jumplist-files-artifacts/

Windows Jumplist Files Parser

Usage: jumplist_parser [OPTIONS]

Options:
  -p, --path <PATH>                    Path(s) to Jumplist files to be parsed - accepts glob (defaults to 'AutomaticDestinations' & 'CustomDestinations' for all users)
  -o, --output <FILE>                  The file path to write the output to [default: stdout]
      --output-format <output-format>  Output format [default: csv] [possible values: csv, jsonl, json]
      --no-headers                     Don't print headers when using CSV as the output format
      --normalize                      Normalize the result to the most important fields
  -h, --help                           Print help
  -V, --version                        Print version

Or you can download the latest version from the release section

๐Ÿงช Using the Library

1๏ธโƒฃ Add to Cargo.toml

[dependencies]
jumplist_parser = "0.1.0"

2๏ธโƒฃ Parse a Jumplist File

use jumplist_parser::JumplistParser;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let parser = JumplistParser::from_path("samples/win11/AutomaticDestinations/4cb9c5750d51c07f.automaticDestinations-ms")?;

    println!("App ID: {:?}", parser.app_id);
    println!("{:#?}", parser);

    Ok(())
}

๐Ÿ“ License

Licensed under either of:

  • MIT
  • Apache License, Version 2.0

๐Ÿ“š References

Dependencies

~10MB
~234K SLoC