TypedPaths
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
TypedPaths records every path a user manually entered into the Explorer address bar. This separates high-confidence, deliberate navigation from passive file browsing — a user typing \\SERVER01\Finance\ directly into Explorer knew exactly where they were going, which is precisely why this artifact can prove intent.
Key Name
url1, url2 ... url25 — REG_SZ values storing up to 25 manually typed paths in MRU order
Trace Type
Search
Hive
NTUSER.DAT
Last Write Time
Reflects the last time a new path was typed into the Explorer bar — correlates directly with the moment of deliberate navigation for incident timeline work.
User Specific
Yes Stored in the individual user's NTUSER.DAT. Each profile has its own independent TypedPaths list.
Forensic Value
- Prove deliberate navigation intent: A typed path requires conscious input. Finding a staging directory here destroys any claim of accidental access.
- Identify lateral movement targets: UNC paths typed here reveal which network resources an attacker sought out.
- Corroborate other artifacts: Cross-reference TypedPaths with ShellBags to build a multi-layered proof of directory access that is extremely difficult to refute.
For more Info check out these Articles: ShellBags