TypedPaths
Overview
Section titled “Overview”Evidence: TypedPaths
Description: Enumerate TypedPaths
Category: System
Platform: windows
Short Name: typedpaths
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Windows Explorer maintains a history of paths that users manually type into the Explorer address bar. This registry artifact tracks folder navigation through typing rather than clicking, providing evidence of deliberate user navigation to specific locations.
This can reveal user knowledge of specific file locations, hidden folders, network shares, and administrative directories.
Data Collected
Section titled “Data Collected”This collector gathers structured data about typedpaths.
TypedPaths Data
Section titled “TypedPaths Data”| Field | Description | Example |
|---|---|---|
Value | Registry value name | url1 |
Path | Typed path | C:\Users\user\AppData\Local\Temp\suspicious |
Username | User account name | user |
KeyPath | Registry key path | Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths |
LastWriteTime | Registry key last write time | 2023-10-15T14:30:00 |
RegPath | Path to registry hive | Registry/ntuser.dat |
Collection Method
Section titled “Collection Method”This collector:
- Collects user registry hives (ntuser.dat)
- Searches for:
Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths - Enumerates all values under the key
- Extracts the typed path strings
- Records registry key last write time
Forensic Value
Section titled “Forensic Value”Typed paths reveal deliberate user navigation and knowledge of specific locations. Investigators use this data to prove user knowledge of hidden folders, identify access to suspicious directories, track network share navigation, detect attempts to access admin folders, establish intent through manual navigation, and identify typed paths to malware locations.