< Back
Get-ForensicExplorerTypedPath
Post
NAME Get-ForensicExplorerTypedPath
SYNOPSIS
Gets the file paths that have been typed into the Windows Explorer application.
SYNTAX
Get-ForensicExplorerTypedPath [-VolumeName <String>] [<CommonParameters>]
Get-ForensicExplorerTypedPath -HivePath <String> [<CommonParameters>]
DESCRIPTION
The Get-ForensicExplorerTypedPath cmdlet parses a user's NTUSER.DAT file to derive the file paths that have been
typed into the Windows Explorer application.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-VolumeName [<String>]
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \\\\.\\C:, C:, or C.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-HivePath <String>
Registry hive to parse.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
System.String
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-ForensicExplorerTypedPath -VolumeName \\\\.\\C:
This command gets the URLs typed into Internet Explorer from all user's NTUSER.DAT hives on the C: logical volume.
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>Get-ForensicExplorerTypedPath -HivePath C:\\Users\\Public\\NTUSER.DAT
This command gets the URLs typed into Internet Explorer from the C:\\Users\\Public\\NTUSER.DAT hive.
RELATED LINKS
SYNOPSIS
Gets the file paths that have been typed into the Windows Explorer application.
SYNTAX
Get-ForensicExplorerTypedPath [-VolumeName <String>] [<CommonParameters>]
Get-ForensicExplorerTypedPath -HivePath <String> [<CommonParameters>]
DESCRIPTION
The Get-ForensicExplorerTypedPath cmdlet parses a user's NTUSER.DAT file to derive the file paths that have been
typed into the Windows Explorer application.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-VolumeName [<String>]
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \\\\.\\C:, C:, or C.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-HivePath <String>
Registry hive to parse.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
System.String
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-ForensicExplorerTypedPath -VolumeName \\\\.\\C:
This command gets the URLs typed into Internet Explorer from all user's NTUSER.DAT hives on the C: logical volume.
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>Get-ForensicExplorerTypedPath -HivePath C:\\Users\\Public\\NTUSER.DAT
This command gets the URLs typed into Internet Explorer from the C:\\Users\\Public\\NTUSER.DAT hive.
RELATED LINKS