TypedPaths / TypedURLs | Forensic Artifacts

When a user types a path directly into Windows Explorer’s address bar — \\fileserver\hr$, C:\Users\jdoe\Desktop\staging, or D:\backups — Windows records that path in the TypedPaths registry key. This is not click-through navigation, not autocomplete, not a shortcut. It is proof that the user deliberately typed a specific destination. In insider threat and unauthorized access cases, TypedPaths is among the strongest evidence of intent available in the Windows registry.

What Are TypedPaths / TypedURLs?

TypedPaths and TypedURLs are two separate registry keys in NTUSER.DAT that record text manually entered into address bars. Despite their similar names and structure, they track different applications and serve different forensic purposes:

TypedPaths records paths typed into Windows Explorer’s address bar. This includes local paths (C:\Windows\System32), network UNC paths (\\server\share), and even URLs (which Explorer will hand off to the default browser). This key is actively populated on all modern Windows versions (XP through Windows 11).
TypedURLs records URLs typed into Internet Explorer’s address bar. On Windows 10 and 11, where Internet Explorer has been replaced by Edge (Chromium), TypedURLs is largely a legacy artifact. However, on Windows 7/8/8.1 systems or enterprise environments where IE is still used for intranet applications, TypedURLs remains forensically valuable.

Both keys use an identical structure: numbered string values (url1, url2, url3, ...) containing the text the user typed. The numbering is sequential, with url1 being the most recently entered item. When the maximum entry count is reached (~25 entries), the oldest entry is discarded and all entries shift down. There is no MRUListEx ordering mechanism — the numbering itself encodes recency.

The critical forensic property of both keys is the intent signal. A path in TypedPaths was not generated by clicking through folder hierarchies, opening a shortcut, or following a link. The user placed their cursor in the Explorer address bar, typed the path character by character (or pasted it), and pressed Enter. This represents a higher bar of deliberate intent than most other file access artifacts.

Key Insight

TypedPaths is an intent artifact. Every entry represents a path the user chose to type or paste into Explorer’s address bar. In litigation and HR proceedings, this distinction matters: the user did not stumble onto \\cfo-laptop\c$ by clicking through a network neighborhood — they typed it deliberately. Courts and arbitrators recognize this distinction.

Location & Format

Registry Paths

Key	Registry Path (under NTUSER.DAT)	Application	Status on Windows 11
TypedPaths	`Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`	Windows Explorer	Active — populated on every Explorer address bar entry
TypedURLs	`Software\Microsoft\Windows\CurrentVersion\Explorer\TypedURLs`	Internet Explorer	Legacy — only populated if IE is explicitly launched

Value Format

Both keys use REG_SZ (string) values. The value names follow the pattern url1, url2, url3, up to approximately url25. Each value contains the exact text the user typed. There is no binary encoding, no Shell Item parsing, no PIDL structures — the data is directly human-readable in any registry viewer.

Registry Structure

NTUSER.DAT
Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
    url1  = \\nas01\executive$
    url2  = C:\Users\jdoe\Desktop\staging
    url3  = \\dc01\c$
    url4  = D:\
    url5  = \\fileserver\engineering\schematics
    url6  = C:\ProgramData
    url7  = \\print-srv\scans
    url8  = C:\Windows\System32\sru

Software\Microsoft\Windows\CurrentVersion\Explorer\TypedURLs
    url1  = https://mail.company.com/owa
    url2  = http://intranet.company.local/hr/policies
    url3  = https://portal.azure.com
    url4  = ftp://files.company.com

Timestamp Information

The TypedPaths and TypedURLs keys do not store per-entry timestamps within the values themselves. However, the key last-write timestamp is updated whenever a new entry is added, providing the time of the most recent typed path. On some Windows versions, a companion key called TypedPathsTime exists at the same level, storing 8-byte FILETIME values for each entry, providing per-entry temporal resolution. Registry Explorer displays both the key timestamp and any TypedPathsTime data when present.

Format Note

The TypedPathsTime companion key is not present on all Windows versions. It was introduced in Windows 10 version 1607 (Anniversary Update) and is consistently present on Windows 10 1809+ and Windows 11. On older systems, only the key last-write timestamp is available.

What It Reveals

TypedPaths and TypedURLs answer a narrow but forensically powerful set of questions, all centered on deliberate user navigation:

What paths did the user deliberately navigate to? — Every TypedPaths entry is a path the user typed or pasted into Explorer. This proves the user knew the path and intentionally navigated there.
Did the user access UNC network shares? — UNC paths like \\server\share, \\dc01\c$, or \\nas01\executive$ in TypedPaths prove the user typed a network path directly. Administrative shares (c$, admin$, ipc$) are particularly significant because they require knowledge of the share name and administrative privileges to access.
Was the user aware of hidden or administrative shares? — Hidden shares (ending in $) do not appear in network browsing. Their presence in TypedPaths proves the user knew the exact share name and typed it intentionally — a strong indicator of reconnaissance or insider knowledge.
What was the sequence of navigation? — The url1 through url25 ordering shows recency. url1 is the most recent typed path. This ordering reconstructs the user’s navigation workflow.
Did the user navigate to staging or exfiltration directories? — Paths like E:\backup, C:\staging, D:\ (removable media), or C:\Users\[user]\Desktop\collected in TypedPaths are consistent with data staging for exfiltration.
Did the user access forensically sensitive directories? — Paths like C:\Windows\System32\sru, C:\Windows\Prefetch, or C:\$Recycle.Bin suggest the user was aware of forensic artifacts and may have been attempting anti-forensics.
What URLs did the user type into Internet Explorer? — TypedURLs captures explicitly typed URLs, including intranet portals, OWA (Outlook Web Access), FTP servers, and web applications that may contain sensitive data.
Did the user navigate to cloud storage or file transfer sites? — TypedURLs entries for https://mega.nz, https://drive.google.com, https://dropbox.com, or ftp:// addresses indicate potential exfiltration vectors.

Investigative Benchmark

When TypedPaths contains \\dc01\c$, \\sql-prod\backups, and \\nas01\executive$ — three hidden/administrative shares on different servers — the user demonstrated knowledge of specific server hostnames and administrative share conventions. This is not casual browsing. This is deliberate network reconnaissance or data access by someone who knows the environment.

Forensic Use Cases

1. Insider Threat — Deliberate Network Share Access

A systems administrator under investigation for data theft has TypedPaths entries showing \\hr-server\personnel$, \\finance-srv\payroll, and \\ceo-laptop\c$. The administrator’s job responsibilities do not include HR, finance, or executive systems. The presence of these paths in TypedPaths — not in ShellBags, not in LNK files, but in the key that records typed navigation — proves the administrator deliberately entered these paths. Cross-referencing with Security.evtx Event ID 4624 (Type 3 network logon) confirms successful authentication, and Event ID 5140 confirms the shares were accessed.

2. Data Staging for Exfiltration

TypedPaths shows the following sequence: url1 = E:\ (USB drive), url2 = C:\Users\jdoe\Desktop\collected, url3 = \\eng-share\source-code. Reading in reverse chronological order (oldest first): the user navigated to an engineering source code share, then to a local staging directory, then to a USB drive. This three-step pattern — source, staging, exfiltration — is a classic data theft workflow. The TypedPathsTime entries confirm the three navigations occurred within a 20-minute window.

3. Anti-Forensics Awareness Detection

TypedPaths contains C:\Windows\Prefetch, C:\Windows\System32\winevt\Logs, and C:\$Recycle.Bin. The user was navigating to directories containing forensic artifacts — Prefetch files, Windows Event Logs, and the Recycle Bin. This pattern suggests the user was aware of forensic investigation techniques and may have been manually reviewing or deleting evidence. The presence of these forensically significant paths in the typed navigation history (not just browsed) is a strong indicator of anti-forensics awareness.

4. Lateral Movement Confirmation

During an incident response engagement, TypedPaths on a compromised workstation shows \\10.0.1.50\c$, \\10.0.1.51\admin$, and \\10.0.2.100\c$\Windows\System32. These are IP-based UNC paths to administrative shares on internal hosts. If the compromised account was used for interactive lateral movement (as opposed to automated tool-based movement), TypedPaths provides the exact sequence of hosts the attacker navigated to. This is particularly valuable when correlating with network flow data and endpoint telemetry to map the full attack path.

5. TypedURLs — Legacy IE Forensics

On a Windows 8.1 system used in a corporate environment, TypedURLs contains https://mail.company.com/owa, http://intranet/hr/employee-directory, https://portal.azure.com, and ftp://files.company.com/outgoing. The FTP entry is significant: the user deliberately typed an FTP address to an outgoing files directory, suggesting file upload activity. Cross-referencing with IE browser history and proxy logs confirms files were uploaded via this FTP path. TypedURLs provided the initial lead that focused the investigation on FTP-based exfiltration.

Acquisition Methods

Collection Warning

NTUSER.DAT is locked by the operating system while the user is logged in. Use Volume Shadow Copy, a forensic imaging tool, or a raw-disk copy utility. If the target user has logged off, the hive file is released and can be copied directly. Always collect NTUSER.DAT for every user account on the system — TypedPaths is per-user, and different accounts may contain different evidence.

Live System — Volume Shadow Copy

CMD / ADMIN

:: Create a Volume Shadow Copy
vssadmin create shadow /for=C:

:: Copy NTUSER.DAT from the shadow copy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Users\jdoe\NTUSER.DAT C:\Evidence\jdoe_NTUSER.DAT

:: Collect for all users if needed
for /d %u in (\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Users\*) do (
    copy "%u\NTUSER.DAT" "C:\Evidence\%~nu_NTUSER.DAT" 2>nul
)

:: Clean up the shadow copy
vssadmin delete shadows /shadow={shadow-id} /quiet

Live System — KAPE and Raw Copy

CMD / ADMIN

:: Using KAPE
kape.exe --tsource C: --tdest C:\Evidence\KAPE_Output --target RegistryHives

:: Using RawCopy (bypasses NTFS locks)
RawCopy.exe /FileNamePath:C:\Users\jdoe\NTUSER.DAT /OutputPath:C:\Evidence\

:: Quick live-system check (if user is logged off, hive is accessible)
reg query "HKU\S-1-5-21-...\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths"

Forensic Image — Direct Extraction

BASH / FORENSICS

# Mount the forensic image (read-only)
mount -o ro,noexec,nodev /dev/sdb1 /mnt/evidence

# Extract NTUSER.DAT for all users
for user in /mnt/evidence/Users/*/; do
    username=$(basename "$user")
    cp "$user/NTUSER.DAT" "/analysis/registry/${username}_NTUSER.DAT" 2>/dev/null
done

# Quick check with reglookup (Linux registry parser)
reglookup -p "Software/Microsoft/Windows/CurrentVersion/Explorer/TypedPaths" \
    /analysis/registry/jdoe_NTUSER.DAT

Parsing Tools & Analysis

Tool	Author	License	Output	Notes
Registry Explorer	Eric Zimmerman	Free	GUI + export	Best for interactive analysis; shows key last-write timestamps and value data side by side
RECmd	Eric Zimmerman	Free	CSV	Batch processing; use `--bn BatchExamples\RECmd_Batch_MC.reb` for comprehensive parsing
RegRipper	Harlan Carvey	Open source	Text	Plugin: `typedpaths` and `typedurls`; fast CLI extraction
Autopsy	Basis Technology	Open source	GUI	Recent Activity module extracts TypedPaths and TypedURLs
reglookup	Timothy Morgan	Open source	Text	Linux-native; useful for quick extraction from mounted images
python-registry	Willi Ballenthin	Open source	Python API	Programmatic access; values are plain strings, no special parsing needed

Parsing with RECmd

CMD / FORENSICS

:: Parse TypedPaths and TypedURLs from NTUSER.DAT
RECmd.exe -f C:\Evidence\NTUSER.DAT --bn BatchExamples\RECmd_Batch_MC.reb --csv C:\Analysis\TypedPaths_Output

:: Or query a specific key directly
RECmd.exe -f C:\Evidence\NTUSER.DAT --kn "Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" --csv C:\Analysis\

:: Also parse TypedURLs
RECmd.exe -f C:\Evidence\NTUSER.DAT --kn "Software\Microsoft\Windows\CurrentVersion\Explorer\TypedURLs" --csv C:\Analysis\

Parsing with RegRipper

CMD / FORENSICS

:: Extract TypedPaths
rip.exe -r C:\Evidence\NTUSER.DAT -p typedpaths

:: Extract TypedURLs
rip.exe -r C:\Evidence\NTUSER.DAT -p typedurls

:: Run all NTUSER.DAT plugins at once
rip.exe -r C:\Evidence\NTUSER.DAT -a > C:\Analysis\ntuser_all_plugins.txt

Quick Python Extraction

PYTHON / FORENSICS

from Registry import Registry

reg = Registry.Registry("/analysis/registry/jdoe_NTUSER.DAT")

# Extract TypedPaths
try:
    key = reg.open("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths")
    print(f"TypedPaths - Last Write: {key.timestamp()}")
    for val in key.values():
        print(f"  {val.name():6s} = {val.value()}")
except Registry.RegistryKeyNotFoundException:
    print("TypedPaths key not found")

# Extract TypedURLs
try:
    key = reg.open("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedURLs")
    print(f"\nTypedURLs - Last Write: {key.timestamp()}")
    for val in key.values():
        print(f"  {val.name():6s} = {val.value()}")
except Registry.RegistryKeyNotFoundException:
    print("TypedURLs key not found")

Sample Output

OUTPUT

TypedPaths - Last Write: 2026-03-15 23:12:44 UTC
  url1   = \\nas01\executive$
  url2   = C:\Users\jdoe\Desktop\staging
  url3   = \\dc01\c$
  url4   = D:\
  url5   = \\fileserver\engineering\schematics
  url6   = C:\ProgramData
  url7   = \\print-srv\scans
  url8   = C:\Windows\Prefetch

TypedURLs - Last Write: 2026-03-10 14:33:17 UTC
  url1   = https://mail.company.com/owa
  url2   = http://intranet.company.local/hr/policies
  url3   = https://mega.nz

Reading the Output

The TypedPaths key was last updated on March 15 at 23:12 UTC. The most recent entry (url1) is a hidden administrative share on a NAS device. The sequence url5 → url4 → url3 → url2 → url1 shows: engineering share → USB drive → domain controller admin share → local staging directory → executive NAS share. Entry url8 (C:\Windows\Prefetch) indicates the user was aware of the Prefetch forensic artifact. TypedURLs shows the user typed https://mega.nz — a cloud storage service commonly used for data exfiltration — into Internet Explorer.

Retention & Persistence

Property	TypedPaths	TypedURLs
Max entries	~25 (url1 through url25)	~25 (url1 through url25)
Retention behavior	Rolling buffer; oldest entry dropped when limit reached	Rolling buffer; oldest entry dropped when limit reached
Survives reboot	Yes	Yes
Survives app uninstall	Yes — key persists in NTUSER.DAT regardless	Yes — persists even after IE removal
Time-based expiration	None — entries persist until overwritten or manually deleted	None
Timestamp available	Key last-write + TypedPathsTime (Win10 1607+)	Key last-write only
Active on Windows 11	Yes — actively populated	Legacy — only if IE is explicitly used

Retention Note

The ~25 entry limit means TypedPaths is a small-capacity artifact. On systems where the user frequently types paths into Explorer, older entries are overwritten quickly. However, on systems where the user primarily navigates via clicks, the 25 entries may span weeks or months. The effective retention window depends entirely on user behavior. For users who rarely type paths, a single incriminating entry may persist indefinitely.

Anti-Forensics Resilience

TypedPaths is one of the more resilient registry artifacts because it is not well-known outside the forensic community and is not targeted by most consumer cleanup tools.

Tool	Clears TypedPaths?	Clears TypedURLs?	Explanation
CCleaner	No	Yes — “Internet Explorer: Typed URLs”	CCleaner has no TypedPaths cleaner; only targets TypedURLs as part of IE cleanup
BleachBit	No	Yes — if IE cleaning enabled	No TypedPaths cleaner module exists
Windows Disk Cleanup	No	No	Does not target user registry hives
Privacy Eraser	No (most versions)	Yes	Focuses on browser artifacts, not Explorer registry keys
IE “Delete Browsing History”	No	Yes	IE’s built-in cleanup deletes TypedURLs but has no awareness of TypedPaths
Edge “Clear Browsing Data”	No	No	Edge (Chromium) does not interact with IE-era registry keys
Manual: reg delete	Yes — if user knows exact path	Yes — if user knows exact path	Requires knowledge of the specific registry key path

Why TypedPaths Survives

TypedPaths is not in any consumer cleanup tool’s target list. CCleaner, BleachBit, Privacy Eraser, and Windows Disk Cleanup do not clear it. It is not exposed in any Windows Settings panel. The only way to clear TypedPaths is via reg delete or a registry editor — requiring the user to know both that the key exists and its exact path. In practice, even technically sophisticated insiders rarely clear this artifact because they do not know it records their Explorer address bar entries.

MITRE ATT&CK Detection Mapping

TypedPaths and TypedURLs data provides evidentiary support for detecting the following MITRE ATT&CK techniques:

Technique	Name	TypedPaths/TypedURLs Evidence
`T1083` T1083	File and Directory Discovery	TypedPaths entries showing navigation to multiple directories; systematic browsing of file server shares and administrative paths
`T1005` T1005	Data from Local System	TypedPaths showing navigation to sensitive local directories (`C:\Users\[other]\Documents`, `C:\ProgramData\[app]\config`)
`T1039` T1039	Data from Network Shared Drive	UNC paths in TypedPaths (`\\server\share`); particularly hidden/administrative shares (`c$`, `admin$`)
`T1135` T1135	Network Share Discovery	Multiple UNC paths to different servers in TypedPaths indicates deliberate share enumeration via Explorer
`T1021` T1021	Remote Services	Administrative share access (`\\host\c$`, `\\host\admin$`) typed into Explorer indicates interactive lateral movement
`T1074` T1074	Data Staged	TypedPaths showing navigation to staging directories and removable media (`D:\`, `E:\`) in sequence with network share access

Related Artifacts & Cross-References

Corroborating Artifacts

Artifact	Relationship to TypedPaths/TypedURLs	Cross-Correlation Value
ShellBags	Record folder browsing history in `UsrClass.dat` and `NTUSER.DAT`	ShellBags show all folders visited (typed or clicked); TypedPaths filters for only typed navigation, proving intent
MRU Lists	RecentDocs, OpenSavePidlMRU, RunMRU track file access and commands	RunMRU may contain the same UNC paths from TypedPaths; OpenSavePidlMRU may show files saved from those locations
LNK Files	Shortcuts created when files are opened from Explorer	LNK files can confirm files were accessed from paths recorded in TypedPaths
Security.evtx	Event ID 4624 (logon), 5140 (share access), 5145 (share permission check)	Security logs confirm whether the user successfully authenticated to network shares listed in TypedPaths
SRUM.db	Network transfer volumes per application	If TypedPaths shows network share access, SRUM can quantify how much data was transferred during that session
$UsnJrnl	File system change journal; records file copy and move operations	$UsnJrnl can confirm files were copied from locations referenced in TypedPaths to staging directories

References

Eric Zimmerman, “Registry Explorer & RECmd” — https://ericzimmerman.github.io/
Harlan Carvey, “RegRipper — Registry Analysis Tool” — https://github.com/keydet89/RegRipper3.0
SANS Institute, “Windows Forensic Analysis Poster” — https://www.sans.org/posters/
13Cubed, “TypedPaths and User Activity Forensics” — https://www.13cubed.com/
Microsoft, “Explorer Address Bar Registry Keys” — https://learn.microsoft.com
ForensicArtifacts.com, “Windows Registry Artifact Definitions” — https://github.com/ForensicArtifacts/artifacts
DFIR Training, “TypedPaths Analysis for Insider Threat” — https://www.dfir.training
Willi Ballenthin, “python-registry — Python Registry Hive Parser” — https://github.com/williballenthin/python-registry

Mjolnir Security — Digital Forensics & Incident Response

Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in registry artifact analysis, insider threat investigations, and evidence recovery from systems subjected to anti-forensics measures.

Digital ForensicsIncident ResponseExpert WitnessArtifact AnalysisInsider ThreatRegistry Forensics

mjolnirsecurity.com — 24/7: +1 833 403 5875