WordWheelQuery
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQueryWordWheelQuery stores the search terms a user typed into the File Explorer search bar. These are drive-local queries — not Cortana or web searches — and they reflect what a user was actively looking for on the machine at a specific point in time. In an intrusion scenario, this is a direct window into an attacker's reconnaissance mindset.
Key Name
0, 1, 2 ... — REG_SZ values storing search terms in MRU order; MRUListEx encodes the access sequence
Trace Type
Search
Hive
NTUSER.DAT
Last Write Time
Reflects the last time a new search term was added — use this to anchor search activity to a specific time window within the investigation.
User Specific
Yes Scoped entirely to the individual user's NTUSER.DAT. Search history is not shared across accounts.
Forensic Value
- Reveal attacker reconnaissance: Search terms like
passwordorfinancialtyped into Explorer search reveal what an attacker was hunting for. Compare these with TypedPaths to see if they manually navigated to identified targets. - Prove knowledge of sensitive material: A search for a specific name or classified code demonstrates awareness and intent, not accidental discovery.
- Reconstruct interactive session activity: WordWheelQuery entries combined with ShellBags build a full picture of user navigation during an interactive session.
For more Info check out these Articles: TypedPaths