Search - WordWheelQuery

Description: Tracks keyword searches within Windows.

Location:

• C:\Users\<username>\NTUSER.DAT
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

Notes:

• In Windows 7, the WordWheelQuery keeps track of keyword searches from the start menu.
• In Windows 10, the WordWheelQuery keeps track of searches within Windows Explorer.

Analysis: Using Registry Explorer by Eric Zimmerman, we can load the NTUSER.DAT registry hive from the user account that we're analyzing and select the NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery registry key.



In Windows 10, seaching for a file within Windows Explorer will add an entry to the WordWheelQuery.



The WordWheelQuery registry key will list keyword searches by order of MRU.