TypedURLs

Overview

Evidence: TypedURLs Description: Enumerate TypedURLs Category: System Platform: windows Short Name: typedurls Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Internet Explorer maintains a list of URLs that users manually type into the address bar (as opposed to clicking links). This registry artifact provides evidence of deliberate navigation to specific websites and can indicate user intent or knowledge.

TypedURLs are stored in the user's registry hive along with optional timestamp information in the TypedURLsTime key (Windows 7+).

Data Collected

This collector gathers structured data about typedurls.

TypedURLs Data

Field

Description

Example

URL

Typed URL

https://www.example.com

AccessTime

When URL was typed (if available)

2023-10-15T14:30:00

Username

User account name

user

KeyPath

Registry key path

Software\Microsoft\Internet Explorer\TypedURLs

LastWriteTime

Registry key last write time

2023-10-15T14:30:00

RegPath

Path to registry hive

Registry/ntuser.dat

Collection Method

This collector:

Collects user registry hives (ntuser.dat)
Searches for: Software\Microsoft\Internet Explorer\TypedURLs
Reads URL values (url1, url2, etc.)
Reads corresponding timestamps from TypedURLsTime key (if available)
Converts FILETIME values to readable timestamps

Forensic Value

Typed URLs reveal deliberate user navigation and can indicate intent or knowledge. Investigators use this data to identify manually entered malicious URLs, detect phishing site visits, prove user knowledge of specific websites, track direct navigation to C2 infrastructure, establish user intent through URL typing, and correlate with browser history and downloads.

PreviousTypedPaths NextUDP Table

Last updated 3 days ago

Was this helpful?