TypedPaths
TypedPaths records manually typed paths or in Explorer search bar. As of Windows 11 22H2, TypedPaths does not record manually typed paths in the Start Menu.
Analysis
TypedPaths is tied to individual user profiles and can be located inside an individual user's NTUSER.DAT hive:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
The following is information is generally available for each TypedPaths entry: * Full valid path typed * Order
The values under the key maintain a list of the typed paths, where url1 represents the most recently typed path. The key maintains the most recent twenty-five (25) paths. Unlike many registry keys, TypedPaths does not use of MRU lists. The order is maintained ordinally.
The data for each value is of type REG_SZ and contains the string of the typed path. No additional parsing is required.
The LastWriteTime of the TypedPaths key represents the query time of the most recently typed path (i.e., url1).
Some sources claim the LastWriteTime represents when the user closes the Explorer window, thus this is when the system serializes the data to the registry. However, this appears to no longer be the case in my testing on Windows 11 22H2. In other words—the LastWriteTime represents the time the user entered the path in Explorer.
In my testing on Windows 11 22H2, TypedPaths only records valid file system or UNCs in Explorer. It does not record:
- Paths typed in the Start Menu
- Invalid or non-existing system file paths
- Invalid UNCs or network resources
Investigation Considerations
TypedPaths can support assertions that the user intentionally navgiated to a particular resource path, rather than accidentally navigating to a path or stumbled across a location. In most cases, it supports that the user had previous knowledge of the path.
Threat actors with interactive sessions may leverage this Windows feature to quickly traverse the filesystem, such as navigating to the their data staging directory in preparation for exfiltration.
In addition, this registry-based artifact may also help determine intent, assist in performing impact assessments, and provide leads for determining additional access.