JLECmd
A forensic command-line tool for parsing Windows Jump List artifacts to reconstruct program execution and user activity.
A forensic command-line tool for parsing Windows Jump List artifacts to reconstruct program execution and user activity. (150 character summary only)
JLECmd is a specialized Windows forensics utility developed by Eric Zimmerman for parsing and analyzing Jump List artifacts. Jump Lists are automatically created by Windows to track user interaction with applications and recently accessed files, making them a valuable source of evidence for timeline reconstruction and execution analysis.
JLECmd is designed for accuracy, speed, and automation, and is widely used in DFIR investigations, malware analysis, and insider threat cases.
First time seeing this?
What JLECmd Does
JLECmd parses AutomaticDestinations and CustomDestinations Jump List files to extract detailed records of application usage. These artifacts can reveal when a program was executed, which files were accessed, how frequently an application was used, and which user account initiated the activity.
Because Jump Lists are generated by the operating system, they often persist even after files or applications have been deleted, providing investigators with durable evidence of past behavior.
Key Features of JLECmd
AutomaticDestinations Parsing
Extracts execution and file access data from automatic Jump List files.CustomDestinations Support
Parses application-defined Jump Lists for additional context.Program Execution Evidence
Identifies application launches, execution counts, and associated timestamps.File and Path Reconstruction
Recovers full file paths, volumes, and network locations accessed by applications.Accurate Timestamp Extraction
Parses multiple time fields for reliable timeline analysis.User Attribution
Associates Jump List activity with specific Windows user profiles.Command-Line Automation
Designed for batch processing and large-scale investigations.CSV and JSON Output
Exports structured data for reporting and correlation.KAPE Compatibility
Easily integrated into automated DFIR collection workflows.
Advanced Use Cases
Timeline Reconstruction
Rebuild user and application activity timelines during investigations.
Malware and Living-off-the-Land Analysis
Identify execution of tools such as PowerShell, cmd.exe, PsExec, or custom malware.
Insider Threat Investigations
Correlate user behavior with sensitive file access and program usage.
Incident Response
Confirm attacker tool execution and post-compromise activity.
Legal and Compliance Investigations
Provide defensible evidence of application and file usage.
Latest Updates (as of 2026)
Recent developments and maintenance highlights include:
Continued support for modern Windows 10 and Windows 11 formats
Improved parsing accuracy for complex Jump List entries
Performance enhancements for large datasets
Ongoing alignment with Windows artifact research
Regular updates within the Zimmerman forensic tool ecosystem
JLECmd remains actively maintained and is considered a reference-standard tool for Jump List analysis.
Why It Matters
Jump Lists offer high-confidence evidence of program execution and user interaction that often survives file deletion and application removal. JLECmd transforms these low-level artifacts into actionable forensic intelligence.
For investigators, it provides critical visibility into how systems were used, when applications were launched, and which files were accessed. These insights that are often unavailable through logs alone.
Requirements and Platform Support
JLECmd runs on:
Windows
It requires:
Jump List files (AutomaticDestinations-ms, CustomDestinations-ms)
Access to user profile directories or collected forensic images
Official repository and documentation:
https://github.com/EricZimmerman/JLECmd