The WordWheelQuery registry key was introduced with Windows 7 and has remained a persistent artifact across all subsequent modern Windows versions. This key records user-initiated search queries submitted through the File Explorer search interface and, in Windows 7, the Start menu search functionality. It constitutes a canonical digital forensic artifact within the Windows operating system, exemplifying the storage of Most Recently Used (MRU) data in the registry.
The presence of auto-populated dropdown histories in search interfaces reliably indicates underlying persistence mechanisms, with the registry serving as the primary repository. In this instance, the WordWheelQuery key (full path: NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery) preserves the verbatim search terms entered by the user.
Analysis of these entries enables investigators to reconstruct user intent, behavioral patterns, and areas of interest with a high degree of fidelity. Queries targeting specific file extensions (e.g., .rar, .vmx) or filenames can strongly indicate user awareness of, or expectation for, the presence of such file types on the system. In cases involving intellectual property theft, data exfiltration, or network intrusion, this artifact frequently provides compelling evidence of reconnaissance activity and potential lateral movement by revealing targeted resources or network shares under consideration.
It should be noted that while registry-based artifacts of this nature are generally persistent, they are not immutable. Sophisticated users or administrators may manually purge or manipulate the key; however, such anti-forensic measures are infrequently applied. Recent searches may be viewed or cleared directly via the Search Tools ribbon within File Explorer.
Additional historical context:
- Windows XP: Search history was maintained under
NTUSER\SOFTWARE\Microsoft\Search Assistant\ACMru. - Windows Vista: Lacked a comparable dedicated search history key.
- Windows 8: Introduced subkey differentiation under WordWheelQuery to segregate searches originating from the desktop environment versus those performed through the Charms bar (Search charm) interface.
This artifact remains a high-value source for timeline reconstruction and user profiling in digital forensic examinations.
As depicted in the figure above, the auto-suggest dropdown list presented in the File Explorer GUI exhibits precise concordance with the values stored in the WordWheelQuery registry key, including exact sequential ordering. This fidelity is maintained through the key’s native Most Recently Used (MRU) implementation, manifested via the MRUListEx value and associated numbered binary entries within the registry.
Consistent with established MRU list mechanics in Windows forensic artifacts, the entry at index 0 (in this example, “cyber”) denotes the most recent search term. Its execution timestamp aligns directly with the Last Write time of the parent WordWheelQuery key (2026-06-06 18:20:46 UTC), providing examiners with a reliable temporal anchor for correlating user activity and reconstructing event timelines.
Searches executed via the taskbar search interface (shown in the figure above) warrant separate consideration due to Microsoft’s evolving and occasionally inconsistent implementation across Windows versions. Initially tightly integrated with the Cortana personal assistant, this functionality was decoupled beginning with Windows 10 build 1909.
The taskbar search dialog serves as the primary user-facing frontend for a comprehensive system-wide search engine. It interfaces with the Windows Search Index to surface local files and folders, OneDrive and email cloud indexes, system settings, installed application enumerations, and web results via the default browser. While this area continues to evolve and merits ongoing research, examiners can recover substantial cached data from the search application in the following well-documented locations:
- %UserProfile%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5nlh2txyewy\LocalState\DeviceSearchCache (Windows 10 prior to build 1909)
- %UserProfile%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5nlh2txyewy\LocalState\DeviceSearchCache (Windows 10 build 1909 and later)
- %UserProfile%\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5nlh2txyewy\LocalState\DeviceSearchCache (Windows 11)
Of particular forensic importance, items accessed or launched through the taskbar search dialog are also propagated into established Windows persistence mechanisms. These include the RecentDocs registry key, LNK shortcut files, Jump Lists, ShellBags, and associated browser history artifacts. Such secondary records frequently enable robust corroboration of user intent and activity timelines beyond the primary search cache.
The TypedPaths registry key represents a significant persistence mechanism within Windows File Explorer, capturing user-supplied directory paths entered directly into the address bar. This functionality enables power users to bypass sequential mouse navigation and rapidly access deeply nested subfolders, alternate drive letters, or remote network shares—frequently manifested as Universal Naming Convention (UNC) paths beginning with \\ (denoting a hostname or IP address).
These entries are stored in the following location:
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPathsTypedPaths constitutes compelling evidence of user knowledge and intent. Population of this key requires deliberate action—either manual typing or pasting of a path—into the Explorer address bar. Unlike many other navigation artifacts, incidental or passive browsing is highly unlikely to generate entries here, thereby strengthening attribution of purposeful navigation to specific directories or network resources. In Windows 10 and later versions, the key typically maintains the most recent 25 typed paths, preserving both the verbatim strings.
This artifact is particularly valuable in investigations involving data exfiltration, intellectual property theft, or unauthorized access, as it can demonstrate that a user possessed precise foreknowledge of targeted file system locations or remote shares that would not ordinarily be encountered through routine system use.
In the example above, the TypedPaths key contains five entries associated with the subject user account. As with all NTUSER.dat hive artifacts, these entries are strictly user-specific and tied to the context of the logged-on account.
The key exhibits a distinctive sorting behavior that deviates from conventional MRUListEx implementations. Rather than relying on a dedicated MRU list, TypedPaths maintains recency through its value naming convention: url1 represents the most recent entry, followed by url2, url3, and so forth in descending order of recency. Consequently, a straightforward lexicographical sort of the value names readily reconstructs the chronological sequence of typed paths.
Forensic testing reveals that updates to this key are not committed in real time. New values are only persisted to the registry upon closure of the associated File Explorer window. As a result, the Last Write timestamp of the TypedPaths key corresponds to the time the Explorer window was closed after the most recent path was entered, rather than the precise moment the path was typed or pasted into the address bar. This nuance is critical for accurate timeline reconstruction and event sequencing.
Post a Comment