Troubleshooting: How to Find and Inspect Browsers LNK Entries

Inspecting Browsers LNK Files for Malware or Corruption

What a .LNK file is

.LNK is a Windows shortcut file that points to an executable, folder, document, or URL. Browser-related LNKs often link to browser executables or profile folders and can be manipulated to run malicious programs or add unwanted parameters.

Why inspect browser LNKs

• Malware persistence: Attackers can replace or modify shortcuts so they launch malicious payloads.
• Unintended behavior: Corrupted or misconfigured LNKs can add flags (e.g., –kiosk) or point to wrong targets, breaking startup behavior.
• Privacy risk: A shortcut can include CLI arguments that expose profile paths or flags that weaken security.

Signs a suspicious or corrupted browser LNK

• Target path points to an unexpected location (not the browser’s install folder).
• Target includes extra command-line arguments you didn’t add.
• Shortcut icon is generic or changed.
• Multiple duplicates in startup folders or desktop with slightly different names.
• Antivirus alerts when launching via the shortcut.

How to inspect safely (step-by-step)

1. Do not double-click the shortcut.
2. Right-click the .LNK → Properties → Shortcut tab.
   • Check Target, Start in, and Comment fields.
3. Verify the Target path: it should match the browser’s official install path (e.g., “C:\Program Files\Google\Chrome\Application\chrome.exe”).
4. Look for unexpected arguments after the .exe (e.g., URLs, –remote-debugging-port, or a path to a script).
5. Check the shortcut’s Advanced properties for “Run as administrator” or other unusual flags.
6. Inspect file origin: right-click → Properties → Details or Digital Signatures (if present).
7. Check the file’s actual location and file size; .LNK files are small (a few KB).
8. Use a reputable antivirus/antimalware scanner to scan the .LNK and the target executable.
9. If you suspect tampering, open the target executable’s folder and verify its executable file hash against a known-good copy or vendor checksum.
10. Remove suspicious shortcuts from Startup locations:

• Startup folder: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
• All Users Startup: %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup
• Registry run keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM…\Run (only if comfortable using regedit).

Tools for deeper analysis

• ShellLink (Windows API) parsers or LNK parsers (e.g., “lnk-parse” tools) to extract embedded metadata.
• Autoruns (Sysinternals) to find startup shortcuts and their targets.
• Sigcheck or other hash utilities to verify executable signatures and hashes.
• Online sandbox (submit the target executable) — only if you can safely upload samples.

Remediation steps

• If shortcut is malicious: delete the LNK, then scan the system and the target executable.
• If target executable is replaced: quarantine and replace with a clean install from vendor site.
• Restore correct shortcut: create a new shortcut pointing to the verified browser executable without extra arguments.
• Review startup locations and registry run keys for persistence entries and remove unwanted ones.
• Change browser profiles or reinstall the browser if profile paths were exposed or altered.

Quick checklist

• Confirm target path and filename.
• Look for unexpected CLI arguments.
• Scan shortcut and target with antivirus.
• Verify executable digital signature or hash.
• Remove suspicious startup entries and recreate clean shortcuts.

If you want, I can provide exact commands or a PowerShell script to enumerate and inspect browser LNK files on your system.