# TypedPaths ## Overview **Evidence:** TypedPaths\ **Description:** Enumerate TypedPaths\ **Category:** System\ **Platform:** windows\ **Short Name:** typedpaths\ **Is Parsed:** Yes\ **Sent to Investigation Hub:** Yes\ **Collect File(s):** No ## Background Windows Explorer maintains a history of paths that users manually type into the Explorer address bar. This registry artifact tracks folder navigation through typing rather than clicking, providing evidence of deliberate user navigation to specific locations. This can reveal user knowledge of specific file locations, hidden folders, network shares, and administrative directories. ## Data Collected This collector gathers structured data about typedpaths. ### TypedPaths Data | Field | Description | Example | | --------------- | ---------------------------- | ------------------------------------------------------------- | | `Value` | Registry value name | url1 | | `Path` | Typed path | C:\Users\user\AppData\Local\Temp\suspicious | | `Username` | User account name | user | | `KeyPath` | Registry key path | Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths | | `LastWriteTime` | Registry key last write time | 2023-10-15T14:30:00 | | `RegPath` | Path to registry hive | Registry/ntuser.dat | ## Collection Method This collector: * Collects user registry hives (ntuser.dat) * Searches for: `Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths` * Enumerates all values under the key * Extracts the typed path strings * Records registry key last write time ## Forensic Value Typed paths reveal deliberate user navigation and knowledge of specific locations. Investigators use this data to prove user knowledge of hidden folders, identify access to suspicious directories, track network share navigation, detect attempts to access admin folders, establish intent through manual navigation, and identify typed paths to malware locations.