Blog
Notes on the Windows Shell Link format and this tool.
- How to open a .lnk file (and read what's inside)
5/25/2026
Opening a Windows .lnk file usually runs its target, not the shortcut itself. Here is how to inspect the .lnk's actual binary contents safely, in your browser, with PowerShell, or with a hex viewer.
Read more → - Forensic analysis of .lnk files: what investigators look for
5/25/2026
A field guide to the artifacts hiding inside Windows shortcut files: origin machine NetBIOS name, MAC-derived droid GUID, target FILETIMEs, volume serials, and how DFIR teams use them to reconstruct activity.
Read more → - LNK file malware: how Windows shortcuts get weaponized
5/25/2026
Why .lnk shortcut files are an attacker's preferred delivery vector, from Stuxnet's CVE-2010-2568 to today's ISO+LNK phishing campaigns, and how to spot a malicious one before it runs.
Read more → - Inside MS-SHLLINK: a field-by-field tour of the .lnk binary format
5/25/2026
A practical walkthrough of every section of a Windows .lnk file: ShellLinkHeader, LinkTargetIDList, LinkInfo, StringData and ExtraData, cross-referenced to the MS-SHLLINK specification.
Read more → - What is a Windows .lnk file?
5/18/2026
A short, technical tour of the Windows Shell Link (.lnk) binary format: its header, link flags, LinkInfo, StringData and ExtraData blocks, plus what this client-side parser extracts from each one.
Read more →