WordWheelQuery

Overview

Evidence: WordWheelQuery Description: Enumerate WordWheelQuery Category: Registry Platform: Windows Short Name: wordwheel Is Parsed: Yes - Registry data parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

WordWheelQuery records search terms that users type into the Windows Explorer search box. This registry artifact maintains a history of search queries, providing evidence of what files, folders, or content users were looking for on the system.

Search terms can reveal user intent, knowledge of specific files, or attempts to locate sensitive data.

Data Collected

Collection Method

This collector:

• Collects user registry hives (ntuser.dat)

• Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

• Parses MRUListEx binary structure

• Extracts search term strings

• Orders by MRU position (most recent first)

Usage

Search terms reveal what users were looking for and can indicate intent or knowledge. Investigators use this data to identify searches for sensitive files, detect user attempts to locate evidence, prove knowledge of hidden files or folders, track user interest in specific topics, identify anti-forensic awareness (searches for "delete history"), and correlate search terms with file access.

Known Limitations

• Only tracks Windows Explorer searches

• Limited number of entries retained

• Can be cleared by user or privacy tools

• Doesn't capture search results or actions taken

• Not populated if user doesn't use Explorer search

Notes

Search terms can be highly revealing of user intent. Searches for terms like "password", "confidential", "delete", or specific malware names can provide valuable investigative leads.