Cached Screenshots on Windows

Introduction

The Snipping Tool was removed for a while and replaced with ‘Snip and Sketch’ in Windows 10. But in Windows 11, the Snipping Tool is back. which means the Windows 11 brought back the beloved Snipping Tool, phasing out Snip and Sketch from Windows 10. While it's a handy utility for quick screenshots, there’s a lesser-known detail: Windows caches screenshots depending on your settings, and where they’re stored can change.

In this post, we’ll explore:

• How screenshots are handled in Windows 11

• Where they are saved by default

• What changes when you turn off automatic saving

• How to access the hidden cache folder

• Some potential use cases or implications

Default Screenshot Behaviour

By default, when you take a screenshot using:

• Windows + Shift + S, or

• Open the Snipping Tool manually,

...your screenshots are automatically saved to:

C:\Users\shra1\OneDrive - XYZ\Pictures\Screenshots

This is managed by a toggle in Snipping Tool settings called “Automatically save original screenshots”, which is enabled by default. The screenshots appear as PNG files with no embedded metadata. 

By default, any screenshot you take using the Snipping Tool is saved in the 'Pictures\Screenshots' folder. The file names make it clear they’re screenshots, but unfortunately, they don’t contain any extra information like metadata.

That might not sound very exciting, but here’s where it gets interesting.

If you disable the auto-save feature, the behaviour changes. Screenshots are no longer saved to the Pictures\Screenshots folder. Instead, they’re temporarily cached in a hidden local folder: 

%LOCALAPPDATA%\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\Snips

This location holds cached versions of your screenshots, which:

Persist at least until reboot (according to current testing)

Might be cleared later by Windows automatically

Are not visible in normal Pictures folders, which can be misleading

Important to note: Windows 11 will not store screenshots in both locations. It’s either:

• Pictures\Screenshots (if auto-save is on), or

• TempState\Snips (if auto-save is off)

This binary behaviour means that if you're doing forensic work, monitoring user activity, or developing automation tools, knowing which setting is active can be critical.

The Above detail can be very useful for:

• Forensics investigators: Screenshots may exist even if not manually saved.

• Privacy-aware users: Knowing where your data goes helps maintain control.

• IT administrators: Enforcing policies on screenshot handling.

• Developers/testers: Retrieving screenshots programmatically from cache.

What We Know About screenshots Persistence ?

They persist at least until reboot. Cached snips stay there during the active session, you can reopen them via Snipping Tool's editor unless you shut down or log off.

They may be deleted after a reboot. Windows doesn’t guarantee these cached files will survive. It may clean them up to reclaim space, just like it does with temp files.

Forensics Implications:

Here are the possibilities:

1. Live Response is Critical

You need to collect volatile data during a live session (before reboot).

Tools like FTK Imager, or built-in scripting (PowerShell/Robocopy) can be used to extract contents of TempState\Snips before they vanish.

2. Check for Shadow Copies / Backups

If Volume Shadow Copy (VSS) is enabled, the cached snips folder might be recoverable from a shadow snapshot, even after deletion.

Tools: vssadmin, ShadowExplorer, or commercial forensic tools.

3. File Recovery Tools

If the files were deleted, tools like Recuva, Autopsy, or EnCase can attempt recovery, especially if the system hasn’t overwritten the disk sectors yet.

4. Memory Forensics (Advanced)

If the system is still running and a screenshot was recently viewed, parts of the image may reside in RAM.

Tools like Volatility, AXIOM RAM Capture can potentially recover these if the Snipping Tool was active.

❗ Key Takeaway

Cached screenshots are not guaranteed to persist, so timing is everything in forensic collection. If you suspect snipping activity:

1. Act before reboot

2. Check the Snips cache folder / Check for Shadow Copies / Backup

3. Use live capture or recovery methods to preserve evidence

Use Cases for Cached Screenshots in Investigations

Use Case 1: Digital Forensics & Incident Response (DFIR)

Scenario: During a post-incident review, an investigator may discover that a malicious actor took screenshots of sensitive data (like passwords or confidential emails) using Snipping Tool but didn't save them manually.

How cached screenshots help:

• Even if the screenshots weren't saved to Pictures, they may be found in TempState\Snips.

• This can reveal intent, scope, or timeline of the breach.

Description: Discover if a threat actor captured sensitive information via screenshots. 

File Path: %LOCALAPPDATA%\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\Snips

- %USERPROFILE%\Pictures\Screenshots 

Use Case 2: Insider Threat Monitoring

Scenario: A user may try to leak confidential data by capturing screenshots and sharing them externally, but avoid saving them permanently.

Cached screenshots benefit:

• Shows what was viewed or captured, even if the user never explicitly saved it.

• May support HR or legal cases involving data policy violations.

Description: Identify screenshot activity of proprietary or restricted material. 

File Path: - Same as above

- %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations (Jump Lists)

- %APPDATA%\Microsoft\Windows\Recent 

Use Case 3: Employee Misconduct or Productivity Investigations

Scenario: During work hours, a user frequently snips parts of the screen, possibly copying competitor data or browsing inappropriate content.

Investigation angle:

• Cached snips give visibility into what was being captured without needing spyware.

• Useful in corporate settings where compliance with usage policies is critical.

Description: Review screenshots taken during unauthorized or non-work activity. 

File Path:

- Snips: %LOCALAPPDATA%...\TempState\Snips

- Saved images: %USERPROFILE%\Pictures\Screenshots

- Clipboard history: %APPDATA%\Microsoft\Clipboard (requires parsing) 

Use Case 4: Parental Controls & Child Safety

Scenario: Parents suspect their child is capturing and sharing inappropriate content or engaging with dangerous online platforms.

Use of cached screenshots:

• TempState\Snips can reveal what content was snipped from the screen.

• A privacy-respecting yet effective way to gain insight without intrusive software.

Description: Check if inappropriate or dangerous content was snipped. 

File Path:

%LOCALAPPDATA%\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\Snips 

Use Case 5: System Misuse Detection in Schools or Labs

Scenario: In shared computers (labs, public libraries, etc.), some users might take screenshots of exam answers or private messages.

Detection method:

• Cached screenshots can help determine if the Snipping Tool was used to collect sensitive data.

• Helps enforce acceptable use policies in multi-user environments.

Description: Catch users attempting to exfiltrate information via screen capture. 

File Path:

- %LOCALAPPDATA%\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\Snips

- User temp folders: %TEMP% 

Use Case 6: Bug Reporting and QA Workflows

Scenario: A tester reports an app crash but forgets to upload the screenshot of the error.

QA advantage:

• Cached snips might still exist from earlier screen captures.

• Helps developers trace issues even if the user didn’t save the image.

Description: Recover screenshots for reports when users forget to save. 

File Path:

- %LOCALAPPDATA%\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\Snips

- %USERPROFILE%\Pictures\Screenshots 

Use Case 7: Recovering Lost Work or Mistakenly Closed Snips

Scenario: A user snips something important but accidentally closes the editor without saving.

Why this matters:

• If auto-save was off, the image may still exist in the TempState\Snips folder.

• Data recovery made possible without advanced tools.

File Path: Same as above

Use Case 8: Detecting Evasive Behavior

Scenario: An attacker, red teamer, or tech-savvy insider attempts to avoid detection by using screen captures instead of downloading files.

Investigative value:

• Cached screenshots can expose what data was viewed.

• Useful in combination with clipboard monitoring or browser history.

Description: Catch attackers or users attempting to avoid download logs. 

- %LOCALAPPDATA%\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\Snips

- Shellbags: NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU 

Use Case 9: Audit & Compliance

Scenario: A compliance officer needs to confirm whether screenshots of sensitive financial data were handled according to company policy.

Value of cached data:

• Shows whether screenshots were retained temporarily.

• Can be cross-checked against approved save locations and retention rules.

Description: Ensure screenshot storage policies are enforced. 

File Path:

- %USERPROFILE%\Pictures\Screenshots

- %LOCALAPPDATA%...\TempState\Snips

- Group Policy Editor > Snipping Tool (if controlled) 

Use Case 10: Tool Usage Pattern Analysis

Scenario: Security teams want to know if the Snipping Tool is being abused or overused.

Monitoring opportunity:

• Correlate the creation of snips with system logs or file access history.

• Detect potentially risky behavior without relying on third-party DLP tools.

Description: Analyze frequency and pattern of Snipping Tool use. 

File Path:

- %LOCALAPPDATA%\Microsoft\Windows\INetCache\ (app usage cache)

- %APPDATA%\Microsoft\Windows\Recent

- %LOCALAPPDATA%\Packages\Microsoft.ScreenSketch_* 

Pro Tip: Combine with Other Artifacts

For better evidence correlation, pair cached screenshots with:

• Clipboard history (win + v)

• Shellbags / Jump Lists

• Recent files (%AppData%\Roaming\Microsoft\Windows\Recent)

• Timeline Activity (if enabled)

• Windows Event Logs