Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: A comprehensive list of all Windows 7 history locations

27 Jul 2015   #1
Cetus35

Windows 10 Pro x64
 
 
A comprehensive list of all Windows 7 history locations

Hi all,

This may seem like a conspiracy theorist post or paranoia out of control but I assure you it's not.

It's a quest for the ultimate privacy. A lot of people say that "If you have nothing to hide, don't worry about it", but I don't subscribe to that line of thought. If it's MINE, no one has any business with it unless I Ok it.

Some people automatically assume that if you use e-mail encryption you must be communicating with terrorists and if you use file, folder, or full disk encryption you must be hiding child pornography.

These people are ignorant of the many, many legitimate reasons for wanting or needing full and absolute privacy and security. I'm not going to sit here all day and list all those reasons. Just start Googling and educate yourself.

Ok, moving on:
What this post is about is a hope to provide a comprehensive list of everywhere in Windows 7 (and 8/8.1/10, just in different locations) that there is a history stored without your knowledge.

If you allow Microsoft Word's 'Recent Documents', for example, to store a list of recently opened documents so you don't have to dig for that last few documents you may want to open quickly, then that is all well and good. You KNOW there's a list of what you opened. You can turn that feature off easily.

Also, browser history in most every browser can easily be cleared.

The issue I'm discussing here is what is stored without your consent or knowledge.
Once this list starts getting larger, you'll see what I mean. I believe you will be unpleasantly surprised at what is stored.

I'm hoping people more knowledgeable that myself can add to this list.

If you have nothing to say except "y u so parynoid???' and "wru so wurried abt hiding??" and the like, please just keep it to yourself.
This post is about security.

Here's most of what I know so far, some of which applies to certain situations, some of which applies to everyone:

1) With certain files and situations, opening the file is an event stored in the Windows logs.
Sometimes it will just be the drive letter (C: for example) but may include the full path and sometimes even the file name.
Why be worried about this?
For example, my son who is very knowledgeable about computers, had a wonderful girlfriend named Madi. They broke up and it turned into a very nasty situation. She and I, however, still get along fine. Of course for us to get along smoothly, I have to tell him that I never talk to her. Say she sends me a new picture of herself on Facebook named 'Madi01-Jul2015.jpg'. I put it in a hidden folder but I open it with Windows Photo Viewer (the default viewer).

Ok, everything is fine.

But say he's on my computer and it crashes for some reason or the other. He looks through Event Viewer to look for the error and stumbles across an entry that indicates that file 'Madi01-Jul2015.jpg' was opened at 11:23 a.m. yesterday. That's going to cause a huge argument between us.

Reproduce this problem: This issue is not easy to reproduce but it can be done. It's a pretty cryptic and lengthy process and if anyone wants to know how, just contact me. I don't want to unnecessarily make this post longer than it already is.


Much worse than the above issue.
2) ALL opened photos (or any graphical file at all) are stored as a thumbnail in Windows 7 in hidden files in a hidden folder.
This 'thumbcache' is not to be confused with the 'thumbs.db' file that is stored in mostly every single folder that contains any graphics files. If you have 'Show hidden files, folder, and drives' selected in 'Folder Options', these files are visible and are easily deleted.

The 'thumbcache' files are a completely different animal. They cannot be deleted (they will immediately reappear) or cleared of their contents easily, although there are ways to do so.

Reproduce this problem:
1) Open any folder and press the Alt key.
2) Click on Tools, then Folder Options, then on the View tab
3) Put a check mark beside Always show menus and Show hidden files, folders, and drives.
4) Remove the check mark from Hide extensions for known file types and Hide protected operating system files. Click OK or Yes on any dialog box that opens.

5) Navigate to the Explorer folder at C:\Users\[your username]\AppData\Local\Microsoft\Windows\Explorer

The easiest way to do this is to copy and past this address into the search box that is located when you click on the Start Orb on the lower left of the desktop, and press Enter.
Make sure you have replaced '[your username]' with the name of the current Windows user. You will see files named 'thumbcache_32.db', 'thumbcache_96.db', thumbcache_256.db', etc.

At this point there is nothing you can do with these files. Delete them, view them, nothing.

6) Ok, for the shocker: Download and run Thumbcache Viewer at https://thumbcacheviewer.github.io/

7) When the program is open, click on File, then Open.

Navigate again to the Explorer folder at C:\Users\[your username]\AppData\Local\Microsoft\Windows\Explorer and select one of the files. 32, 96, 256, etc.
Some of the files here do not contain thumbnails and can't be opened with Thumbcache Viewer. That's ok.

In the program, click on View then Hide Blank Entries.

Click on any one of the remaining files to view the thumbnail of every single photo or graphics file you have ever opened.

Unpleasantly surprised? I was.

These files cannot be deleted but there are a couple of ways to clear their contents, neither of which is 100% efficient.

With CCleaner, open it and make sure Thumbnail Cache is selected (on the left), Click Analyze then Run Cleaner. This sometimes works and sometimes doesn't.

A method that seems to work more efficiently is to use the Windows utility, Disk Cleanup.

1) Double-click on the Computer icon located on the desktop
2) Right-click the system drive (normally C: ) and select Properties.
3) Click on the Disk Cleanup button. If you have never run this before it will take several minutes.

4) In the 'Files to delete:' section you can select or deselect anything you wish, just make sure 'Thumbnails' is selected.

5) Click on OK then on Delete Files.

6) Reboot the computer. The thumbnailcache files should now display a much smaller size than they did when you saw them before. If not, then nothing was cleared.

Another way, which may be acceptable to some users but it's not to me as it causes a reduction of the functionality of the system is to completely turn off the creation of thumbnails altogether. This means that when you open a folder that has a great many files, from your birthday party digital camera use, for instance, it will show the Windows default icon for images instead of the thumbnails you're used to. You will have to open every single file to see what it is.

To turn off thumbnails completely:
1) Open any folder
2) Click on Tools then Folder Options then the View tab.
3) Put a check mark in 'Always show icons, never thumbnails'


Summary:
Security problems in Windows: (especially things recorded without the user's knowledge)

1) Events in Windows logs concerning file names and locations
2) Thumbcache files
3) Data retention in RAM (Retained even after reboot, but not when the system is shut down for several minutes)
4) Data retained in the page file (pagefile.sys)
5) Data retained in the Hibernation file (hiberfil.sys)

6) 'Persisted' key in the Registry.
Seems to store the name and location of all executable (.exe) setup files that were moved from one folder to another. For example, a file named 'kmplayer_install.exe' that was originally in the Download folder but was later moved to a folder named Set Up Later . The registry records this, i.e. that it is no longer present where it once was. Take note that this is the single setup file only (not the application), before it was set up. Not moving the file(s) after setup was complete.

If you run CCleaner, this is named an 'Application Path Issue', which is not accurate. The path to the setup file is recorded, not the applications installation folder.

This key is located at:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted

7) 'MuiCache' key in the Registry.
This seems to store a large list of executable files (.exe) on the system that has been run, either by the user or the system.

This could be a huge problem, for example, if a person got into trouble for illegally downloading copyrighted material and the user uninstalled uTorrent and FrostWire before the police got there and then denied ever having used such programs. A forensic analyst (or anybody) can easily see in this Registry key that indeed 'utorrent.exe' and 'frostwire.exe' were run.

This is a bad example since it concerns illegal activity but I just used it as a quick example. Obviously, the 'workaround' to this particular issue is not to download files illegally.

The topic remains 'Windows storing data without your knowledge or consent'.

This MuiCache key is at:
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

If you run CCleaner this is named a 'Missing MUI Reference', which like the above example, is not accurate since most of the files listed are exactly where they are supposed to be and the programs run fine.

Please add to this list. In detail, or how to see the issue that is named, i.e. reproduce the issue.


Thank you for any additional information you may provide.




.


My System SpecsSystem Spec
.
27 Jul 2015   #2
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

You forgot about webcachev01.dat, Shell Bags and $UsnJrnl not to mention the following:

Forensic analysis of the ESE database in Internet Explorer 10 (or 11)
My System SpecsSystem Spec
Reply

 A comprehensive list of all Windows 7 history locations




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Accidentally deleted/cleared "view and track download" history list
I accidentally deleted all the information in the "View and Track Your Downloads" list/history. Is there any way to restore the download list, preferably the entire history? Please advise and help if you can. Thank you.
General Discussion
Acronis True Image - tidying up the list of backup locations
Over years of using Acronis True Image I have created image files in several folders and with different file names. As a result, my "Backup location" lists many file name formats that I no longer use (please see the screenshot). Can anyone tell me how to tidy up that list? I cannot see any...
Backup and Restore
Common Dialog Boxes - Clear Dropdown List of Recent Files History
How to Reset and Clear Common Dialog Boxes Dropdown List of Recent Files History The common open file dialog box is the one that opens when you click on File (menu bar), and say either Open, Save, Import, or Export. This will show you how to reset and clear the list of most recently used...
Tutorials
IE 8 Jump List Does Not Display History
The Jump Lists for all other programs display recent items correctly. It's only IE 8 that isn't remembering/displaying recently browsed sites - History/Frequent. Um, ideas?! THANK YOU!
General Discussion
A Comprehensive list of Uninstallers
tired of uninstalling an av/app that won't go away....leave remnants....look no further just read here..... Ultimate List of Uninstallers
Software
Jump List History location?
Hello again :D , there is something confusing me about the new 'Jump List', and to explain that i made following screenshots: As you see on this screenshot, Paint stores a list of recently accessed files in the Jump List and in the Registry under: But even after deleting the...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 17:25.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App