WordWheelQuery
Overview
Section titled “Overview”Evidence: WordWheelQuery
Description: Enumerate WordWheelQuery
Category: System
Platform: windows
Short Name: wordwheel
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”WordWheelQuery records search terms that users type into the Windows Explorer search box. This registry artifact maintains a history of search queries, providing evidence of what files, folders, or content users were looking for on the system.
Search terms can reveal user intent, knowledge of specific files, or attempts to locate sensitive data.
Data Collected
Section titled “Data Collected”This collector gathers structured data about wordwheelquery.
WordWheelQuery Data
Section titled “WordWheelQuery Data”| Field | Description | Example |
|---|---|---|
KeyPath | Registry key path | Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery |
LastWriteTime | Registry key last write time | 2023-10-15T14:30:00 |
Value | MRU value name | 0 |
Username | User account name | user |
Term | Search term | confidential passwords |
MRUPosition | Position in MRU list | 0 |
RegPath | Path to registry hive | Registry/ntuser.dat |
Collection Method
Section titled “Collection Method”This collector:
- Collects user registry hives (ntuser.dat)
- Searches for:
Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery - Parses MRUListEx binary structure
- Extracts search term strings
- Orders by MRU position (most recent first)
Forensic Value
Section titled “Forensic Value”Search terms reveal what users were looking for and can indicate intent or knowledge. Investigators use this data to identify searches for sensitive files, detect user attempts to locate evidence, prove knowledge of hidden files or folders, track user interest in specific topics, identify anti-forensic awareness (searches for “delete history”), and correlate search terms with file access.