Link Files

.lnkJesse Hager

“The Windows Shortcut File Format”http://code.google.com/p/8bits/downloads/detail?

name=The_Windows_Shortcut_File_Format.pdf&can=2&q=

Shortcut Files

• File extension .lnk

• Created whenever an off board file is opened

• Contain MAC times (UTC)

• Path name

• Volume type and S/N

Link File Creation

• Activation of a file from Windows Explorer• When a file is opened from some applications

• Particularly Microsoft Office files

Clear “Recent Items” WinXP

• Properties of the Start Menu• Select “Clear List”

.lnk Files

• They appear as “My Recent Documents”

• Form the basis of Jump Lists

• Win XP• C:\Documents and Settings\User Name\Recent

• Vista & Win7• \Users\user name\AppData\Roaming\Microsoft\Windows\Recent

• \Users\user name\AppData\Roaming\Microsoft\Office\Recent

• \Users\user name\Links\

Clear “Recent Items” Win 7

To clear “Recent Item List”Right click on Recent Items and select clear

Registry Data Shows SettingsWinXP

Start_ShowRecentDocs=0 Do not list Recent DocumentsStart_ShowRecentDocs=2 List Recent Documents

Registry Data Shows SettingsWin7

Start_ShowRecentDocs=0 & Start_Tracks=0 Do not list Recent DocumentsStart_ShowRecentDocs=2 & Start_Tracks=0 List Recent Documents

Basic File Structure

• File header• Shell item ID list

Item 1Item 2etc.

• File location infolocal pathNetwork path

• Description string• Relative path string• Working directory string• Command line string• Icon filename string• Extra stuff

.lnk Header Structure

Offset Size Type Description

0 4 bytes 1 dword Magic Number 0x0000004C = ‘L’

4 16 bytes byte GUID for shortcut files

0x14 4 bytes 1 dword Flags

0x18 4 bytes 1 dword File Attributes

0x1C 8 bytes 1 qword Create time

0x24 8 bytes 1 qword Last write time

0x2C 8 bytes 1 qword Last access time

0x34 4 bytes 1 dword File length

0x38 4 bytes 1 dword Icon number

0x3C 4 bytes 1 dword Show Window value

0x40 4 bytes 1 dword Associated Hot Key

0x44 8 bytes 2 dword Unknown, always zero

The Flags

Bit Meaning when 1 Meaning when 0

0 Shell item id list is present Shell item id list is absent

1 Points to a file or directory Points to something else

2 Has a descriptive string No descriptive string

3 Has a relative path No relative path

4 Has a working directory No working directory

5 Has command line arguments No command line arguments

6 Has a custom icon Has default icon

Shell Item ID List

• Present only if bit 0 is set in flags• How to get from the desktop to the contents

of the link file

File Location Info

Offset Size Contents

0x0 4 bytes Total length of this structure

0x4 “ Point to the first offset after this structure. 0x1C

0x8 “ Flags

0xC “ Offset of local volume info

0x10 “ Offset of base pathname on local system

0x14 “ Offset of network volume info

0x18 “ Offset of remaining pathname

lslnk.exe

.lnk File’sProperties

Cierra’s pics 2.nws.lnk

Magic Number

File Length0x43A00 =276992

Lslnk.exe for Win7

Win7 LNK file Properties

More Information in Win7