Windows 11 Insider Build 26220.7051 adds “Ask Copilot” to the taskbar — what to baseline for DFIR

Microsoft shipped Windows 11 Insider Preview build 26220.7051 (KB5067115) to Dev and Beta on October 31, 2025, introducing an opt-in “Ask Copilot” experience on the taskbar. You enable it at Settings > Personalization > Taskbar > Ask Copilot and can also toggle whether the Copilot app auto-starts at sign-in. Microsoft states Ask Copilot uses existing Windows APIs to return apps, files, and settings like Windows Search, and it does not grant Copilot access to personal content. (blogs.windows.com)

Overview

• User action: A user or admin enables Ask Copilot via Settings > Personalization > Taskbar > Ask Copilot (opt-in). (blogs.windows.com)
• Invocation: Ask Copilot surfaces a taskbar entry that accepts natural input (text/voice) and returns local apps/files/settings via Windows APIs; chat suggestions are provided by Copilot. (blogs.windows.com)
• Execution context you’ll actually see: Windows Search remains the broker for local lookups (SearchApp.exe in SystemApps) and Edge/Copilot may still be used for web or chat UI, depending on configuration. (learn.microsoft.com)
• Legacy behaviors to remember during hunts: prior Copilot entry points often launched through a microsoft-edge URI (microsoft-edge://?ux=copilot&tcp=1&source=taskbar). You still see that scheme in shortcuts/workarounds and in some user guidance. (howtogeek.com)
• Platform posture: The new Copilot app experience replaced the legacy “Copilot in Windows” sidebar on many managed systems in late 2024+; enterprise admins can control it and related experiences via policy/AppLocker. (learn.microsoft.com)

Here’s why this matters for forensics

• New ways to invoke Copilot from the taskbar means new clicks, queries, and app launches to correlate. Those actions leave traces in Jump Lists, UserAssist, FeatureUsage/Taskband data, Search event logs, and process creation telemetry. See below for concrete pull points.

Artifact Locations and Paths

• Jump Lists (recent items by app)

  • Paths: %AppData%\Microsoft\Windows\Recent\AutomaticDestinations and %AppData%\Microsoft\Windows\Recent\CustomDestinations. AutomaticDestinations are CFB containers with DestList metadata (access counts, last access, pinned); CustomDestinations are concatenated LNK streams. (cybertriage.com)
  • Why here: Taskbar and app interactions (including opening files from suggestions) populate per-AppID Jump Lists; these help time-bound user activity around Copilot-initiated opens.

• UserAssist (GUI execution traces per user)

  • Hive/keys: NTUSER.DAT > Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count (EXE) and {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count (LNK). Value names are ROT13-encoded paths, with run count and last run time in the value data. (artefacts.help)
  • Why here: Copilot suggestions often launch apps or shortcuts; UserAssist corroborates those events at the user hive level.

• Taskbar pinning and Taskband state

  • Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband\Favorites and FavoritesResolve track pinned taskbar shortcuts; LNKs live under %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned. (forensicfocus.com)
  • Why here: If users pin the Copilot app or related shortcuts, you’ll see it reflected here; correlate with Jump Lists for recency/frequency.

• Search and Shell logs

  • Event channels: Applications and Services Logs\Microsoft\Windows\Search\Operational (general search activity; indexing events, pauses/resumes) and Diagnostic (more verbose when enabled). (learn.microsoft.com)
  • Shell provider: Microsoft-Windows-Shell-Core has Diagnostic/Operational channels that capture shell operations when enabled. (geoffchappell.com)
  • Why here: Ask Copilot leans on Windows APIs for local results; shell/search telemetry gives you the brokered activity around app/file resolution.

• Process telemetry

  • SearchApp.exe (SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe) is the Windows Search front-end; anomalous crashes or repeated launches will show up in WER and event logs. (learn.microsoft.com)
  • Security Event 4688 and Sysmon Event 1 capture process creation and command line, useful when Copilot invocations trigger Edge or other handlers. (learn.microsoft.com)

• Policy surfaces (for scoping and containment)

  • Turn off Windows Copilot policy maps to HKCU/HKLM SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot\TurnOffWindowsCopilot; Microsoft notes the classic policy is deprecated for the “new” Copilot experience in some builds, so validate in your tenant. (learn.microsoft.com)
  • Microsoft’s update in late 2024/2025: the Copilot app replaced the legacy pane and is controllable, including via AppLocker for managed PCs. (learn.microsoft.com)

Here’s what we’d pull first

• Jump Lists and UserAssist for the active user(s) to reconstruct Copilot-initiated launches around the time window in question.
• Taskband favorites and the User Pinned directory to see whether users pinned the Copilot app or created custom shortcuts.
• Search\Operational and (if enabled) Shell-Core Diagnostic for correlation of search/shell activity during Copilot queries.
• EDR telemetry for process creation of SearchApp.exe, msedge.exe, and Copilot app processes, with command lines containing microsoft-edge://?ux=copilot… or ms-copilot: URIs when present. (howtogeek.com)

Analysis and Correlation

• Process-creation monitoring
  • Windows Security 4688 and Sysmon Event ID 1 should include parent/child and command lines; enable “Include command line in process creation events” and hash collection where feasible. (learn.microsoft.com)
  • Hunt for Edge or shell invocations that include Copilot URIs:

Event
| where EventID in (4688) // or use Sysmon EventID==1 in your pipeline
| where NewProcessName has_any ("msedge.exe","explorer.exe","SearchApp.exe")
| where CommandLine has_any ("microsoft-edge://?ux=copilot","ms-copilot:")

• If your EDR normalizes parent/child, look for explorer.exe -> msedge.exe with Copilot URI parameters in the command line in proximity to user activity windows.

• Artifact cross-checks

  • When a file was opened from a Copilot suggestion, validate via the application’s AutomaticDestinations file and DestList timestamps; compare with UserAssist last execution time. (cybertriage.com)
  • If a user pinned the Copilot app, confirm Taskband Favorites/FavoritesResolve entries and corresponding LNKs under User Pinned. (forensicfocus.com)

Validation and Pitfalls

• Baseline your Insider images now. Snapshot 26220.7051 VMs with Ask Copilot enabled and disabled; run a controlled test set (enable toggle, query, open local files, pin/unpin Copilot) and diff artifacts (Jump Lists, UserAssist, Taskband, Search/Shell logs). Keep these baselines in your lab to anchor future cases involving Ask Copilot. (blogs.windows.com)
• Lock down where appropriate. If your org policy restricts Copilot usage, apply the WindowsAI/TurnOffWindowsCopilot policy (noting Microsoft’s deprecation note for the new experience) and/or AppLocker to control the Store-delivered Copilot app. Validate behavior post-policy on 25H2 builds. (learn.microsoft.com)
• Expect churn. Copilot integration has changed several times (PWA shifts; app replacements; even a March 2025 update that unintentionally uninstalled Copilot before Microsoft fixed it). Don’t hard-code assumptions about a single binary or toggle; verify on the build in front of you. (learn.microsoft.com)

Acquisition and Extraction

• Files/dirs

  • %AppData%\Microsoft\Windows\Recent\AutomaticDestinations*.automaticDestinations-ms and …\CustomDestinations*.customDestinations-ms. (cybertriage.com)
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\ (taskbar/start LNKs). (forensicfocus.com)
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe (presence, version). (learn.microsoft.com)

• Registry hives/keys (per user)

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD…}\Count and {F4E57C4B…}\Count. (artefacts.help)
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband (Favorites, FavoritesResolve). (forensicfocus.com)

• Event channels

  • Microsoft-Windows-Search/Operational (+ Diagnostic if enabled). (learn.microsoft.com)
  • Microsoft-Windows-Shell-Core/Diagnostic or Operational when you’ve enabled analytic/debug logs for deeper shell traces. (geoffchappell.com)
  • Security 4688 Process Creation; Sysmon Event 1 if deployed. (learn.microsoft.com)

Takeaways

• Baseline 26220.7051 with Ask Copilot toggled on and off; record deltas for Jump Lists, UserAssist, Taskband, and Search/Shell logs. (blogs.windows.com)
• Update your hunts to include Copilot/Edge URI invocations and SearchApp.exe telemetry; watch for explorer.exe → msedge.exe with copilot URIs. (howtogeek.com)
• Validate policy controls (WindowsAI/TurnOffWindowsCopilot) and AppLocker against the new app-based Copilot experience in your tenant. (learn.microsoft.com)
• Expect rapid changes; keep an Insider VM and refresh baselines as features ship to different rings. Refer to Microsoft’s Insider release notes when triaging user reports tied to Copilot behavior. (blogs.windows.com)