A comprehensive list of all Windows 7 history locations


  1. Posts : 17
    Windows 10 Pro x64
       #1

    A comprehensive list of all Windows 7 history locations


    Hi all,

    This may seem like a conspiracy theorist post or paranoia out of control but I assure you it's not.

    It's a quest for the ultimate privacy. A lot of people say that "If you have nothing to hide, don't worry about it", but I don't subscribe to that line of thought. If it's MINE, no one has any business with it unless I Ok it.

    Some people automatically assume that if you use e-mail encryption you must be communicating with terrorists and if you use file, folder, or full disk encryption you must be hiding child pornography.

    These people are ignorant of the many, many legitimate reasons for wanting or needing full and absolute privacy and security. I'm not going to sit here all day and list all those reasons. Just start Googling and educate yourself.

    Ok, moving on:
    What this post is about is a hope to provide a comprehensive list of everywhere in Windows 7 (and 8/8.1/10, just in different locations) that there is a history stored without your knowledge.

    If you allow Microsoft Word's 'Recent Documents', for example, to store a list of recently opened documents so you don't have to dig for that last few documents you may want to open quickly, then that is all well and good. You KNOW there's a list of what you opened. You can turn that feature off easily.

    Also, browser history in most every browser can easily be cleared.

    The issue I'm discussing here is what is stored without your consent or knowledge.
    Once this list starts getting larger, you'll see what I mean. I believe you will be unpleasantly surprised at what is stored.

    I'm hoping people more knowledgeable that myself can add to this list.

    If you have nothing to say except "y u so parynoid???' and "wru so wurried abt hiding??" and the like, please just keep it to yourself.
    This post is about security.

    Here's most of what I know so far, some of which applies to certain situations, some of which applies to everyone:

    1) With certain files and situations, opening the file is an event stored in the Windows logs.
    Sometimes it will just be the drive letter (C: for example) but may include the full path and sometimes even the file name.
    Why be worried about this?
    For example, my son who is very knowledgeable about computers, had a wonderful girlfriend named Madi. They broke up and it turned into a very nasty situation. She and I, however, still get along fine. Of course for us to get along smoothly, I have to tell him that I never talk to her. Say she sends me a new picture of herself on Facebook named 'Madi01-Jul2015.jpg'. I put it in a hidden folder but I open it with Windows Photo Viewer (the default viewer).

    Ok, everything is fine.

    But say he's on my computer and it crashes for some reason or the other. He looks through Event Viewer to look for the error and stumbles across an entry that indicates that file 'Madi01-Jul2015.jpg' was opened at 11:23 a.m. yesterday. That's going to cause a huge argument between us.

    Reproduce this problem: This issue is not easy to reproduce but it can be done. It's a pretty cryptic and lengthy process and if anyone wants to know how, just contact me. I don't want to unnecessarily make this post longer than it already is.


    Much worse than the above issue.
    2) ALL opened photos (or any graphical file at all) are stored as a thumbnail in Windows 7 in hidden files in a hidden folder.
    This 'thumbcache' is not to be confused with the 'thumbs.db' file that is stored in mostly every single folder that contains any graphics files. If you have 'Show hidden files, folder, and drives' selected in 'Folder Options', these files are visible and are easily deleted.

    The 'thumbcache' files are a completely different animal. They cannot be deleted (they will immediately reappear) or cleared of their contents easily, although there are ways to do so.

    Reproduce this problem:
    1) Open any folder and press the Alt key.
    2) Click on Tools, then Folder Options, then on the View tab
    3) Put a check mark beside Always show menus and Show hidden files, folders, and drives.
    4) Remove the check mark from Hide extensions for known file types and Hide protected operating system files. Click OK or Yes on any dialog box that opens.

    5) Navigate to the Explorer folder at C:\Users\[your username]\AppData\Local\Microsoft\Windows\Explorer

    The easiest way to do this is to copy and past this address into the search box that is located when you click on the Start Orb on the lower left of the desktop, and press Enter.
    Make sure you have replaced '[your username]' with the name of the current Windows user. You will see files named 'thumbcache_32.db', 'thumbcache_96.db', thumbcache_256.db', etc.

    At this point there is nothing you can do with these files. Delete them, view them, nothing.

    6) Ok, for the shocker: Download and run Thumbcache Viewer at https://thumbcacheviewer.github.io/

    7) When the program is open, click on File, then Open.

    Navigate again to the Explorer folder at C:\Users\[your username]\AppData\Local\Microsoft\Windows\Explorer and select one of the files. 32, 96, 256, etc.
    Some of the files here do not contain thumbnails and can't be opened with Thumbcache Viewer. That's ok.

    In the program, click on View then Hide Blank Entries.

    Click on any one of the remaining files to view the thumbnail of every single photo or graphics file you have ever opened.

    Unpleasantly surprised? I was.

    These files cannot be deleted but there are a couple of ways to clear their contents, neither of which is 100% efficient.

    With CCleaner, open it and make sure Thumbnail Cache is selected (on the left), Click Analyze then Run Cleaner. This sometimes works and sometimes doesn't.

    A method that seems to work more efficiently is to use the Windows utility, Disk Cleanup.

    1) Double-click on the Computer icon located on the desktop
    2) Right-click the system drive (normally C: ) and select Properties.
    3) Click on the Disk Cleanup button. If you have never run this before it will take several minutes.

    4) In the 'Files to delete:' section you can select or deselect anything you wish, just make sure 'Thumbnails' is selected.

    5) Click on OK then on Delete Files.

    6) Reboot the computer. The thumbnailcache files should now display a much smaller size than they did when you saw them before. If not, then nothing was cleared.

    Another way, which may be acceptable to some users but it's not to me as it causes a reduction of the functionality of the system is to completely turn off the creation of thumbnails altogether. This means that when you open a folder that has a great many files, from your birthday party digital camera use, for instance, it will show the Windows default icon for images instead of the thumbnails you're used to. You will have to open every single file to see what it is.

    To turn off thumbnails completely:
    1) Open any folder
    2) Click on Tools then Folder Options then the View tab.
    3) Put a check mark in 'Always show icons, never thumbnails'


    Summary:
    Security problems in Windows: (especially things recorded without the user's knowledge)

    1) Events in Windows logs concerning file names and locations
    2) Thumbcache files
    3) Data retention in RAM (Retained even after reboot, but not when the system is shut down for several minutes)
    4) Data retained in the page file (pagefile.sys)
    5) Data retained in the Hibernation file (hiberfil.sys)

    6) 'Persisted' key in the Registry.
    Seems to store the name and location of all executable (.exe) setup files that were moved from one folder to another. For example, a file named 'kmplayer_install.exe' that was originally in the Download folder but was later moved to a folder named Set Up Later . The registry records this, i.e. that it is no longer present where it once was. Take note that this is the single setup file only (not the application), before it was set up. Not moving the file(s) after setup was complete.

    If you run CCleaner, this is named an 'Application Path Issue', which is not accurate. The path to the setup file is recorded, not the applications installation folder.

    This key is located at:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted

    7) 'MuiCache' key in the Registry.
    This seems to store a large list of executable files (.exe) on the system that has been run, either by the user or the system.

    This could be a huge problem, for example, if a person got into trouble for illegally downloading copyrighted material and the user uninstalled uTorrent and FrostWire before the police got there and then denied ever having used such programs. A forensic analyst (or anybody) can easily see in this Registry key that indeed 'utorrent.exe' and 'frostwire.exe' were run.

    This is a bad example since it concerns illegal activity but I just used it as a quick example. Obviously, the 'workaround' to this particular issue is not to download files illegally.

    The topic remains 'Windows storing data without your knowledge or consent'.

    This MuiCache key is at:
    HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

    If you run CCleaner this is named a 'Missing MUI Reference', which like the above example, is not accurate since most of the files listed are exactly where they are supposed to be and the programs run fine.

    Please add to this list. In detail, or how to see the issue that is named, i.e. reproduce the issue.


    Thank you for any additional information you may provide.




    .
      My Computer


  2. Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       #2

    You forgot about webcachev01.dat, Shell Bags and $UsnJrnl not to mention the following:

    Forensic analysis of the ESE database in Internet Explorer 10 (or 11)
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 02:55.
Find Us