Are .lnk files safe to open?

A .lnk is a small Windows Shell Link record that tells Explorer what to launch. Opening one from a trusted source is fine, but a shortcut from an email, USB stick or download can point to any executable, script or remote command. Treat it with the same caution as the file it would run.

Can a .lnk file contain a virus?

The .lnk container itself holds metadata, not executable code, but its target path, command-line arguments and icon location can be crafted to launch a malicious payload (Stuxnet and several CVEs have abused this). Inspecting the target, arguments and working directory before double-clicking is a sound habit.

What's the difference between a .lnk file and a symbolic link?

A .lnk is a Windows Shell Link — a binary metadata file in user-space that only the Explorer shell resolves. An NTFS symbolic link or junction is a filesystem-level redirect handled transparently by the OS for any process, with no extra metadata.

Why does a .lnk file reveal so much about my machine?

Shell Links optionally embed a TrackerDataBlock containing the machine's NetBIOS name and a droid GUID derived from the MAC address, used by Distributed Link Tracking to find the target if it moves. That is why .lnk files are a staple of digital forensics.

Does this parser upload my .lnk file?

No. The parser is a Rust crate compiled to WebAssembly that runs entirely in your browser. Your file never leaves the device and no telemetry is sent.

Are .lnk files safe to open?

A .lnk is a small Windows Shell Link record that tells Explorer what to launch. Opening one from a trusted source is fine, but a shortcut from an email, USB stick or download can point to any executable, script or remote command. Treat it with the same caution as the file it would run.

Can a .lnk file contain a virus?

The .lnk container itself holds metadata, not executable code, but its target path, command-line arguments and icon location can be crafted to launch a malicious payload (Stuxnet and several CVEs have abused this). Inspecting the target, arguments and working directory before double-clicking is a sound habit.

What's the difference between a .lnk file and a symbolic link?

A .lnk is a Windows Shell Link — a binary metadata file in user-space that only the Explorer shell resolves. An NTFS symbolic link or junction is a filesystem-level redirect handled transparently by the OS for any process, with no extra metadata.

Why does a .lnk file reveal so much about my machine?

Shell Links optionally embed a TrackerDataBlock containing the machine's NetBIOS name and a droid GUID derived from the MAC address, used by Distributed Link Tracking to find the target if it moves. That is why .lnk files are a staple of digital forensics.

Does this parser upload my .lnk file?

No. The parser is a Rust crate compiled to WebAssembly that runs entirely in your browser. Your file never leaves the device and no telemetry is sent.

What is a Windows .lnk file?

A .lnk is a Windows Shell Link — the small binary file created when you "create a shortcut" to a program, document or folder. It looks trivial in Explorer. The binary is anything but. The format is fully specified in [MS-SHLLINK], and once you have read a few you start treating shortcuts as one of the most informative artifacts Windows produces.

What's inside

The format is a fixed 76-byte header followed by a series of optional sections, each gated by a bit in the header's LinkFlags. In the order a parser reads them:

ShellLinkHeader — flags, the target's NTFS attributes, three FILETIME timestamps (creation, access, write of the target as seen when the link was made), the show-window command, the icon index, and a hot key.
LinkTargetIDList — the shell item ID list that walks the Explorer namespace from a root folder to the target.
LinkInfo — VolumeID (drive type, serial, label), LocalBasePath, and CommonNetworkRelativeLink if the target lived on a network share.
StringData — NAME_STRING, RELATIVE_PATH, WORKING_DIR, COMMAND_LINE_ARGUMENTS, ICON_LOCATION. Length-prefixed in characters, ANSI or UTF-16LE depending on the IsUnicode flag.
ExtraData — optional blocks, each with a 4-byte signature: EnvironmentVariableDataBlock, ConsoleDataBlock, TrackerDataBlock, SpecialFolderDataBlock, ConsoleFEDataBlock, DarwinDataBlock, IconEnvironmentDataBlock, ShimDataBlock, PropertyStoreDataBlock, KnownFolderDataBlock, VistaAndAboveIDListDataBlock.

The TrackerDataBlock is the famous one: it carries the originating machine's NetBIOS name and a "droid" GUID whose last six bytes are the MAC address of the link-creating machine. That single block is responsible for a long list of public attribution wins, including several APT reports that named the build VM behind a campaign.

Why it matters

Because a shortcut records where it was created and what it pointed at, .lnk files are a staple of DFIR. They reveal removable drives, deleted files, network shares and the originating machine — even after the target is long gone. The three header FILETIMEs are a snapshot of the target's metadata at link creation; combined with the link's own MFT entry, they pin both "when the user saw the target" and "when the user wrote the link". Standalone shortcuts live everywhere — Desktop, Start Menu, %APPDATA%\Microsoft\Windows\Recent\, removable drives — and the same LNK structure also forms the payload of every entry in Jumplist files under Recent\AutomaticDestinations\ and Recent\CustomDestinations\.

Privacy

The parser on this site is a Rust crate compiled to WebAssembly. The file decodes in your browser. It never crosses the network, nothing is uploaded, no telemetry. That matters because a .lnk from a real environment leaks the username, NetBIOS hostname, MAC address and document paths of the machine that wrote it — fields you generally do not want crossing a vendor boundary.

What is a Windows .lnk file?

What's inside

Why it matters

Privacy

Further reading