# WordWheelQuery ## Overview **Evidence:** WordWheelQuery\ **Description:** Enumerate WordWheelQuery\ **Category:** System\ **Platform:** windows\ **Short Name:** wordwheel\ **Is Parsed:** Yes\ **Sent to Investigation Hub:** Yes\ **Collect File(s):** No ## Background WordWheelQuery records search terms that users type into the Windows Explorer search box. This registry artifact maintains a history of search queries, providing evidence of what files, folders, or content users were looking for on the system. Search terms can reveal user intent, knowledge of specific files, or attempts to locate sensitive data. ## Data Collected This collector gathers structured data about wordwheelquery. ### WordWheelQuery Data | Field | Description | Example | | --------------- | ---------------------------- | ----------------------------------------------------------------- | | `KeyPath` | Registry key path | Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery | | `LastWriteTime` | Registry key last write time | 2023-10-15T14:30:00 | | `Value` | MRU value name | 0 | | `Username` | User account name | user | | `Term` | Search term | confidential passwords | | `MRUPosition` | Position in MRU list | 0 | | `RegPath` | Path to registry hive | Registry/ntuser.dat | ## Collection Method This collector: * Collects user registry hives (ntuser.dat) * Searches for: `Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery` * Parses MRUListEx binary structure * Extracts search term strings * Orders by MRU position (most recent first) ## Forensic Value Search terms reveal what users were looking for and can indicate intent or knowledge. Investigators use this data to identify searches for sensitive files, detect user attempts to locate evidence, prove knowledge of hidden files or folders, track user interest in specific topics, identify anti-forensic awareness (searches for "delete history"), and correlate search terms with file access.