TypedPaths

Overview

Evidence: TypedPaths Description: Enumerate TypedPaths Category: System Platform: windows Short Name: typedpaths Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows Explorer maintains a history of paths that users manually type into the Explorer address bar. This registry artifact tracks folder navigation through typing rather than clicking, providing evidence of deliberate user navigation to specific locations.

This can reveal user knowledge of specific file locations, hidden folders, network shares, and administrative directories.

Data Collected

This collector gathers structured data about typedpaths.

TypedPaths Data

Field

Description

Example

Value

Registry value name

url1

Path

Typed path

C:\Users\user\AppData\Local\Temp\suspicious

Username

User account name

user

KeyPath

Registry key path

Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

LastWriteTime

Registry key last write time

2023-10-15T14:30:00

RegPath

Path to registry hive

Registry/ntuser.dat

Collection Method

This collector:

Collects user registry hives (ntuser.dat)
Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
Enumerates all values under the key
Extracts the typed path strings
Records registry key last write time

Forensic Value

Typed paths reveal deliberate user navigation and knowledge of specific locations. Investigators use this data to prove user knowledge of hidden folders, identify access to suspicious directories, track network share navigation, detect attempts to access admin folders, establish intent through manual navigation, and identify typed paths to malware locations.

PreviousTwitter Databases NextTypedURLs

Last updated 3 days ago

Was this helpful?