TypedPaths

Overview

Evidence: TypedPaths Description: Enumerate TypedPaths Category: Registry Platform: Windows Short Name: typedpaths Is Parsed: Yes - Registry data parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows Explorer maintains a history of paths that users manually type into the Explorer address bar. This registry artifact tracks folder navigation through typing rather than clicking, providing evidence of deliberate user navigation to specific locations.

This can reveal user knowledge of specific file locations, hidden folders, network shares, and administrative directories.

Data Collected

Collection Method

This collector:

• Collects user registry hives (ntuser.dat)

• Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

• Enumerates all values under the key

• Extracts the typed path strings

• Records registry key last write time

Usage

Typed paths reveal deliberate user navigation and knowledge of specific locations. Investigators use this data to prove user knowledge of hidden folders, identify access to suspicious directories, track network share navigation, detect attempts to access admin folders, establish intent through manual navigation, and identify typed paths to malware locations.

Known Limitations

• Only records paths typed manually (not clicked)

• Limited to most recent entries (typically ~25)

• Can be cleared by user or CCleaner

• Empty on systems where users don't use typed paths

• Doesn't capture paths accessed through other means

Notes

The presence of typed paths to unusual locations (AppData, temp folders, administrative shares) can indicate sophisticated user knowledge or attacker activity. Cross-reference with other user activity artifacts.