Daily Blog #483: Typed Paths Amnesia

Typed Paths Amnesia by David Cowen - Hacking Exposed Computer Forensics Blog



Hello Reader,

               I'm going to update this post with a video when I get to my hotel room tonight and do a test kitchen. I wanted to take a moment to talk about the Typed Paths registry key in Windows. Typed Paths if you are not familiar records the last 25 directories you manually typed into the file explorer path bar seen highlighted below:

Typed Paths Amnesia by David Cowen - Hacking Exposed Computer Forensics Blog


If you ever tested this registry key (located under NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths) you might have been confused that entries didn't show up in the key when you typed paths into path bar above, but they still showed up in the drop down within the GUI.

Typed Paths Amnesia by David Cowen - Hacking Exposed Computer Forensics Blog

You have to close the file explorer window for the entries you see within the GUI to be committed to the registry key.

When I showed this in class some time ago I had a student who asked a very smart question, they asked 'well, what happens if you have two file explorer windows open'. So we did the test and as it turns out something very interesting happens.

Both file explorer windows will start with a copy of the registry key loaded in its process memory and display the same entries. As you type in new paths into each window each will show their own version of the list without any knowledge of the other file explorer process.

When you close the first file explorer window the registry key will get updated with the contents of that processes Typed Paths. However, when you close the second it will overwrite the key without checking its contents meaning you will lose any unique entries typed into the first window as it will just write to the registry the contents of its process memory.

So TypedPaths works, but like every other artifact, it has limitations. Make sure you know what those limitations are!

Also Read: Daily Blog #482

Post a Comment