🕵️♂️ Windows Forensics: How to Retrieve and Parse the Emoji Picker History in the FileSystem 👀
As you may or may not know, Microsoft added an 🌟 emoji picker 🌟 in Windows 10 (also called emoji keyboard) that looks like this:
You can open this emoji picker using win +. .
Like most emoji keyboards, it suggests the latest used emojis first 🥇. This implies that, somewhere, in the file system, data about the latest emojis used is persisted. I searched the Web to find information about retrieving this for forensics purposes, but found nothing. Let’s dive into this 🤿!
This blog post describes the process that lead to parsing the emoji keyboard history. If you’re only interested on how to do it, jump to the end.
❓ What exactly is the emoji keyboard?
Before any of this, I had no clue how the emoji keyboard worked. To find that, I used Sysinternal’s Procmon. It is a fantastic tool that allows to see how processes interact with Windows, such as file, registry and network operations ☁.
What we’re looking for, first, is the executable behind this keyboard. To find that, I did this in procmon:
- 🛑 CTLR + E to stop recording events
- 🗑️ CTLR + X to clear events
- ⏭ In quick succession: CTLR + E → WIN + . → CTLR + E
This records ⏺ events for the short duration where I opened the emoji picker. It gave me about 700 events to go through.
Going through the logs, one executable caught my attention:
A quick Google search told me this was the built-in On-Screen Keyboard ⌨. It makes sense that the emoji picker would be part of this Windows component.
Alright, let’s filter for this executable only by right-clicking the process name and choosing “Include […]InputApp.exe”. We’re now down to 69 events 😳!
📜 Yay, Registry…?
There were a lot of registry operations, so I focused on that. Using regedit.exe, I looked in the registry for each value to find my prize, in vain 😔.
Maybe the emoji history was already in memory 🧠. I needed to force the emoji history to update to see where something would be written, so I repeated the previous steps to record events, but instead of simply opening the emoji picker, I actually clicked an emoji to change the history and closed the keyboard. By filtering out most registry operations using right-click → “Exclude […]”, I found this:
🎊 Yay! When I closed the keyboard, a RegSetValue operation was done on the Registry Value “CategorySetMRU_CategorySet.Emoji.Common” (for 21H1, it’s “CategorySetMRU_CategorySet.ExpressiveEmoji.Common”). That sounds a LOT like what we’re looking for.
MRU is an acronym for “Most Recently Used”
Let’s copy the registry path and paste it into regedit.exe, surely it’s game over… right?
No. Because it’s not a regular registry path. WTF is \REGISTRY\A\? Well, according to Microsoft, its an Application Hive 🍯:
Application hives are loaded under
\\REGISTRY\\Ainstead of under\\REGISTRY\\MACHINEor\\REGISTRY\\USER
☀ Universal Windows Platform apps
Further Googling informs us that application hives are linked to Universal Windows Platform (UWP) apps.
An app’s settings storage root is located at
%LocalAppData%\Packages\<PACKAGEID>
This feels close to victory, but the “LocalState” directory is empty 🗑️
HOWEVER, the previously linked article mentions that under the “Settings” directory, there is “settings.dat” that is actually a registry hive 👀
Settings.dat is a registry hive with some unusual properties:
It has two root-level keys: LocalState and RoamingState
Values are stored as binary data
Value data is postfixed with an 8-byte timestamp that changes on every update
Value types used are not REG_SZ, etc., but undocumented, e.g. 0x5F5E104 (integer?), 0x5F5E10B (bool?), 0x5F5E10C (string?)
The files cannot be copied ✂️ easily from a live system (there might be a method but the scope of this research is forensics operations, so direct access to the disk 💾 is assumed), so I used FTK Imager to copy the files.
Important: Grab ALL settings.dat files, you need all of them in the same directory to read the hive.
👨🍳 Putting it all together
- 🔎 Using forensics software, copy the
settings.dat*files from%localappdata%\Packages\InputApp_cw5n1h2txyewy\Settings(For Windows 10 1809) or%localappdata%\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings(For Windows 10 21H1) - ⏫ Open regedit.exe
- ⏬ Left click on HKEY_LOCAL_MACHINE → File → Load Hive… → Select
settings.dat→ Enter “Emojis” as a key name - 🎮 Open a Powershell or CMD console
- 🏴☠️
reg query HKLM\Emojis\LocalStateand copy the Emoji.Common HEX value - 👨🍳 Parse it using CyberChef:
We have two pieces of information: The emojis in “most recently used” order and the number of times said emoji was used in the last N days (more research is needed to find the exact value 🕵️♀️).
🆎 Differences between Windows 10 1809 and 21H1
- The name of the program:
WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exevsTextInputHost.exe - The name of the UWP app:
InputApp_cw5n1h2txyewyvsMicrosoftWindows.Client.CBS_cw5n1h2txyewy - The stored information: 1809 only has CurrentSkinTone and the emoji history with count, whereas 21H1 has that, plus an history for Kaomojis (those: (❁´◡`❁) ) and a setting for the last emoji category chosen by the user (
CategorySet.ExpressiveEmoji.Common.CategoryPreferences).
Final detail: This information is persisted to disk upon shutdown or session closure.
If you ever use this in an investigation, PLEASE tell me I wrote this for the niche aspect of it, not because I think this has any legitimate investigative value 😂
🙏 Special thanks to Francis Lemaire who helped me a lot during this small research!
