#6C32 If half selected, files and directories will be grouped only when not exploring recursively, i.e. when directories are actually needed for navigation and thus expected at the top of the list.
#7343 If you need sector-level access to media as a rule, it may be preferable to always run WHX/XWF as administrator. This can be remembered by Windows in the registry hive HKEY_CURRENT_USER under \Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers, but has no effect on installations on removable media.
#7355 Not checked: the main window of the previous instance comes forward instead of creating a new program instance. Full check: new program instance starts w/o asking. Half selected (default): you will be given a choice when executing the .exe file again, whether to start a new instance or not. At that time you may also try to recover a previous instance, i.e. attempt to break it out of an infinite loop. 
#7356 At startup, WHX/XWF can optionally show the Start Center or restore the last window arrangement (all windows with their sizes and the positions as you left them in the precedent WHX/XWF session).
#7348 By default, edit windows are not opened in a maximized state.
#735E Do not update file time means that WinHex will preserve the last modification time when a modified file is saved with File | Save or Save As.
#7347 Fully checked: context menu for directory tree in Case Data window shows; at least half checked: context menu for the hex editor display appears.
#7360 You may have WHX/XWF appear in the Windows context menu. The shell displays the context menu when the user clicks an object with the right mouse button. WHX/XWF provides menu items for files, folders and disks. If this option is not fully selected, there is no menu item for files.
#7345 Prevent Windows screensavers from starting and potentially requiring to re-enter the current user's password, either only during operations that show a progress indicator window (if half checked) or generally while the program is running (if fully checked). Works if the main window is visible or the program is running in the background. Useful when acquiring a live system without being locked out, or to keep an eye on the progress indicator on your own machine while not actively using it.
#733A Half checked, the settings are saved whenever the program terminates (cleanly). Fully checked, every time when you click OK in any dialog window (to avoid that you lose your latest settings should the program not terminate cleanly). Unchecked, the program settings will not be saved at all, except if you hold the Shift key when exiting the program, which is necessary once if you would like to save in the .cfg file the setting that from then on the settings should not be saved again. 
#7346 By default WHX/XWF numbers disk partitions in the order of their physical location.
#7341 If Auto-detect deleted partitions is enabled, WHX/XWF tries to identify obvious deleted partitions automatically in gaps between existing partitions and in unpartitioned space directly following the last partition, when opening physical hard disks. Please note that deleted partitions detected in gaps between existing partitions cause the partition numbering to be changed.  E.g. an existing partition #3 might become partition #4 if a deleted partition is detected on the disk before it.
#735A If Check for surplus sectors is disabled, WHX/XWF will not try to access surplus sectors when a physical hard disk is opened. When additional sectors are detected, WHX/XWF will remember them the next time you open the disk. You may enforce a new check by holding the Shift key while opening the disk. Checking for surplus sectors may cause very long delays, strange behavior or even damage to the Windows installation on some very few systems.
#7342 Alternative disk access method 1 may allow to access hard disks with an unconventional sector size or other media that cannot be accessed otherwise. May be slower than the regular access method. If considerably slower, WHX/XWF will notify you and recommend the standard method. Method 2 affects physical hard disks only as well. Both allow to specify a timeout in millisecs after which read attempts will be aborted, instead of potential delay of many secs or mins for reading a single sector.
#7340 For raw images, request user input on the kind of image (volume or disk), sector size and path for potential additional image file segments. Holding Shift key while while adding the image to a case has same effect. Usually not necessary, but some removable media (USB sticks and memory cards) may have been used and formatted as both volume and partitioned medium at different times. In such a situation, interpretation as a volume and as a partitioned medium may reveal different file systems overlapping.
#7358 If you select Show file icons, the icons stored in a file are shown in the info pane. If a file contains no icons, the icon of the file type is shown if this option is “fully” selected. Only for files opened with the File | Open menu command.
#7365 The ENTER key can be used to enter up to four two-digit hex values. A useful example is 0x0D0A, which is interpreted as an end-of-line marker in the Windows world (Unix: 0x0D). The Start Center could then still be opened using SHIFT+ENTER.
#7362 Decide whether you want to use the TAB key to switch from text to hexadecimal mode and vice versa or to enter the TAB character (0x09). In any case, TAB+SHIFT can be pressed to switch the current mode.
#7350 Non-printable characters with a character set value smaller than 0x20 can be represented by a user-defined other character. That substitute character can also be used for high Unicode values, the limit for which you specify in the first of the two boxes; the second is the replacement character (e.g. a space).
#7338 The bytes in the display can be represented as characters in the text column one by one, or WHX/XWF can try to combine them, which if the active code page in Windows is a double-byte character set may be desirable to get the characters right (if 2 bytes = 1 character), or undesirable because of the variable row length. This has an effect only if View | Character Set | * ASCII is selected, as only then the code page active in Windows can make a difference for the display.
#7361 Offsets can be presented and prompted for in a decimal or hexadecimal notation. This setting is valid for the entire program and can be changed by a simple click on the offset column in any window showing raw hex data.
#7353 When using the memory editor, it may be useful to have WHX/XWF display logical memory addresses for processes instead of zero-based, linear, contiguously counted offsets. This is always done in hexadecimal notation. The dialog window of the Goto Offset command will also prompt for logical addresses.
#734F Page and sector separators may be displayed. If this option is enabled partially, only sector separators are displayed.
#73F0 Option to get all search hits in a file highlighted in File mode at the same time, either only when a search hit list is displayed (if half checked) or permanently once search hits have been loaded for an evidence object, i.e. even when working with the normal directory browser (if fully checked). Search hits are loaded after an evidence object has been opened as soon as search hits are listed. This feature also applies to user search hits. Requires forensic license.
#7337 Highlights the various elements in FILE records of the NTFS file system, when the cursor is located within such a record, to facilitate navigation and understanding. Requires a specialist or forensic license. If half checked, highlighting is attemped only on NTFS-formatted volumes, not in other file systems and not on physical, partitioned disks.
#7336 Highlights FILETIME values in Disk/Partition/Volume and File mode. Useful when manually inspecting files of various Microsoft formats which may contain more timestamps than can be automatically extracted (try e.g. with index.dat, registry hives, .lnk shortcut files etc.). Tooltips of the highlight will reveal human-readable interpretation, though Data Interpreter will do that too (click on first byte of timestamp). Half checked, only FILETIME values that are aligned at 4-byte offsets are highlighted.
#7335 Highlights file signatures right in the hex display (Disk/Partition/Volume and File mode). Done by matching the signatures in "File Header Signatures Search *.txt" to every single offset in the currently visible page. Will help you spot start positions of well known data/file types, even if embedded within one another, immediately, for example thumbnails in JPEG files, individual records in zip archives, TIFF signatures in Exif metadata, certificates in Windows Registry hives, etc.
#7351 Displays offsets and data in free space areas in a light gray color to make those easy to recognize as such. Works with any file system supported for VS creation in XWF.
#7352 Displays offsets and data in slack space areas of files in the color specified for slack space below.
#7315 You may choose a font for the hex editor display, and decide whether the standard Windows GUI font should be used for the other parts of the WHX/XWF (via an additional checkbox).
#2F1F SHA-1 and TTH192 hashes can optionally be displayed in Base32 notation in the directory browser, as common in P2P programs.
#2F38 File sizes can optionally always be displayed in bytes instead of rounded. If the checkbox is half checked, that applies to items in volumes only, otherwise also items on physical, partitioned media.
#2F3B Optionally, the actually used time zone conversion bias, including daylight saving where appropriate, can be displayed right in the timestamp columns in the directory browser.
#2F2F There is an option to display timestamps with a precision of milliseconds. You may specify the number of digits after the decimal point (up to 3). Useful for the file systems NTFS, Reiser4 and FAT, which provide for a higher precision than seconds in all or some timestamps.
#2F61 There is an option to output dates in the directory browser and in some other parts of the user interface in a nicer, longer and more locale-specific notation, which can include the weekday and the name of the month based in your language or in English. Also, that format is Unicode capable, which allows for example for original Chinese notation of dates. Examples of how to represent the month (in English): MMMM = April, MMM = Apr, MM = 04, M = 4. Example of a complete format: d/MMM/yyyy (ddd) = 2/Apr/2014
#6D40 Extended attributes in NTFS are optionally included in the volume snapshot as child objects of the directory or file to which they belong, with the name "$EA" and marked in the Attr. column with "($EA)". Fully checked: all such attributes; half-checked (default): only non-resident ones. Not checked, the clusters that belong to non-resident extended attributes of existing objects will be covered by the virtual file "misc non-resident attributes".
#6D5F Including logged utility streams (LUS) in NTFS in newly taken volume snapshots is optional. Either all LUS can be included (if fully checked) or only non-$EFS LUS (if half checked) or no LUS at all. Useful for NTFS volumes written by Windows Vista, if you are not interested in $TXF_DATA LUS.
#6D60 Downloaded files in NTFS can be conveniently recognized if their alternative data stream "Zone.Identifier" is represented as a label instead of as a child object in the volume snapshot. That means you do not need to navigate to the child object to find out what the child object might be. "ZoneId=3" as the label name identifies files downloaded from the Internet.
#6D5D If enabled, allocated clusters in (ex)FAT file systems are skipped when reading the data of deleted files, i.e. they are not necessarily assumed to be contiguous, but assumed to occupy as many free clusters from the start cluster number as are necessary for their size, while skipping clusters that are marked as in use. Changin this option may affect files that are already contained in the VS, thus changing this option will also cause hash values to change if they are re-computed. 
#6D5C The extra effort that X-Ways Forensics makes to include deleted objects in FAT32 file systems correctly in the volume snapshot is optional. If only half checked, the extra effort is made only for subdirectories, not files.
#6D3D If you get read errors on a CD/DVD (e.g. because of scratches on the surface) when the volume snapshot is taken, you know that not all sectors with the data structures of the file system are readable. Listing the ISO9660 file system's directory tree on CDs in addition to a possibly also existing Joliet file system gives you a second chance to get all directories and files listed, if the corresponding data structures of the same directories are located in readable sectors in the ISO9660 area
#6D61 Output of simple extended attributes in Apple file systems as special lines in the Metadata column instead of child objects is optional. If included in the Metadata column, the Metadata field will also be shown in Details mode.
#6D5E Not checked (default): All extended attributes deemed relevant by XWF are processed and output either in the Metadata column if they are textual in nature or as file contents of resident or compressed files or as links to related directories, or as child objects that are marked in the Attr. column with (EA). Half checked, "firstlink" and "quarantine" attributes are also output in the Metadata column. Fully checked, even empty binary PLists and ordinary "Security" attributes are output as child objects
#6D37 For better results when matching hash values against special hash sets, only the invariable header of loaded modules can be listed in main memory analysis.
#6D62 Selected, the initial VS just contains the contents of the top-level directory, and is further completed step-by-step when exploring subdirectories. This is how Windows Explorer works, and useful when dealing with slow and huge network drives that would take a long time up front to scan completely. But very different from the usual approach in XWF: will prevent you from getting a complete listing of all files when exploring recursively, until you have manually explored all subdirectories.
#6D63 Evidence file containers since v18.8 specifically remember the RVS status of the files that they contain. If you accept this status, these files will not be processed again even if then run RVS on the container. You may not want to accept the RVS status of files in containers, if you wish to apply more thorough settings then may have been used before, or if an older, less capable version of XWF was used to process the files.
#6D3E Causes deleted partitions to pass on their deleted state to everything that they contain (files and directories), and deleted e-mail archives to pass on their deleted state to all the e-mails, directories and attachments that they contain. Not checked by default, because results in a loss of information, as depending on the reference everything may be listed as deleted, even files/e-mails that from the point of the file system/the e-mail archive still existed when the partition/file was deleted. 
#6D3C Adjusts virtual free space file: net of clusters that were identified as belonging to prev. existing files, to minimize the amount of space in file systems that is read twice for logical searches. After changing this option or after discovery of more previously existing files, the virtual free space file is updated when it is opened next time. Relative offsets of search hits in this virtual file may become wrong when it changes, so they cannot be used to navigate to the search hits in File mode after that
#6D6E Optionally, files on the logical drive letters A: through Z: can be opened from within the directory browser with the help of the operating system instead of with the built-in logic at the sector level. Please note that this is forensically sound only for write-protected media. On writeable media, Microsoft Windows may update (i.e. alter, falsify) the last access timestamp of files you open. Much faster access to drives, though, especially on very slow drives.
#6D6F If fully checked, it has an effect on all read operations except logical searches, indexing, and search hit context preview. If half checked, it has an effect on all read operations except those three and on how files contents are presented in File mode and in separate data windows. If checked (fully or half), that is a useful setting to achieve file hash compatibility with ordinary (user level) Windows applications. Not checked at all achieves hash compatibility with ordinary forensic tools.
#6D3F Applies to Ext*, XFS, Reiser* and NTFS. Fully checked, all previously existing files of which metadata only is known will be included in a volume snapshot. If not checked at all, those files will be ignored. Half checked, only files for which more than just the name or timestamps are known will be included, but not directory entry remnants in Ext* or Reiser file systems.
#6D65 Quick snapshots without cluster allocation speeds up taking a volume snapshot (in particular for the file systems Ext2, Ext3 and ReiserFS, and in particular also when the volume snapshot files are created across a slow USB 1.1 interface or network), however, causes WHX/XWF to lose its ability to tell each sector’s and cluster’s allocation (for which file it is used). You may use the command "Take New Volume Snapshot" of the Tools menu to update the view of a volume, e.g. after unchecking this option.
#6D64 If enabled, all information on file systems in opened volumes collected by WHX/XWF (Disk Tools menu and/or Specialist menu) remains in the folder for temporary files even when WHX/XWF terminates. WHX/XWF can then reuse the snapshots in later sessions. Volume snapshots of evidence objects in a case are always kept, regardless of this setting, in that evidence object's metadata subdirectory.
#6D3A Keep more data of the volume snapshot in memory, e.g. for much quicker sorting by timestamps.
#7462 Here you may activate the separate viewer component and specify the path where it is located. Please note: the path is expected to point to the *parent* directory of the "viewer" and "x64\viewer" directories.
#74CB If the internal graphics viewing library is used to view pictures, not the viewer component, then optionally the picture viewer window can be closed automatically when a new picture is viewed (if "View multiple pictures simultaneously" is not selected).
#74D0 In that case an auto update option is available that allows to automatically load the next picture into the single picture viewer window as soon as a new picture is selected, one way or the other, for example with a single mouse click or when defining a label for the preview picture or when pressing one of the arrow keys. This should be useful mainly when working with multiple monitors, where the picture viewer window remains on the 2nd monitor.
#7438 Also, you may specify which file types you prefer to view in the program that is associated with their extension in your system, typically file types that the separate viewer component does not support. There is a checkbox labelled "Append type as extension if newly identified" checkbox. Allows to more easily get Windows to run the right program for misnamed files, files without extension etc.
#74CC An alternative e-mail representation is available in Preview mode (also in the case report). Attachments are not linked directly from this kind of e-mail representation yet in Preview mode.
#74CE The e-mail headers can optionally be excluded (not Raw mode). Useful with the standard e-mail representation if you would like to see more of the body of the e-mail without scrolling. You can see subject, sender, recipient and dates already in the directory browser, and attachments are listed when exploring the parent .eml file.
#74C9 If enabled, text extraction from certain file types for logical searches and indexing will be done by the viewer component in a separate process, such that if the viewer component crashes or becomes unstable, it does not render the main process (X-Ways Forensics) unstable or cause it to crash.
#74CA If enabled, the result of the text extraction from certain file types for logical searches and indexing will be stored by X-Ways Forensics in the volume snapshot for reuse when searching/indexing again, to save time.

Will also keep the results of an OCR operation, if applicable.
#7440 If the creation of thumbnails for pictures within large (e.g. solid RAR) archives for gallery view is too slow, you may want to disable it. This will also disable search hit context preview for search hits in files in archives.
#7437 If large JPEGs already contain embedded thumbnails and those have been included already in the volume snapshot or if internal thumbnails have been computed for large pictures, then they can be optionally used as auxiliary thumbnails in the gallery to represent the main picture for significantly faster gallery loading. Video stills, once exported, can be used represent the video; dynamically rotating if fully checked.
#7429 The gallery has its own "Dbl-click=View instead of Explore" 3-state option, analogously to the directory browser. By default, double-clicking means View in the gallery.
#745D There is an option to view files with a single click in the gallery instead of with a double click. Useful for example if you wish to view certain pictures on a separate monitor, where you do not have to close the view window to see the gallery again, when not viewing all pictures one after the other (for which the Page Up or Dn key is more efficient).
#745E Another option allows to tag a file by clicking anywhere in the thumbnail, not just in the tag square. That makes it more convenient to tag a large number of files, and is more comfortable that selecting multiple files while holding the Ctrl key.
#7435 The gallery can optionally show thumbnails for any file type supported by the viewer component, including Office documents, PDF, HTML, e-mails, and pictures that the internal graphics viewing library cannot display (e.g. .emf, .wmf, ...).
#7434 You can choose between normal and slightly shrunk and strongly shrunk thumbnails of documents. Shrunk thumbnails show much more detail from an original document and the original layout, but at the cost of readability. Larger fonts (in particular captions) in an original document, if not shrunk, are typically readable in the thumbnail and can already give you an idea what kind of document it is even if don't view it, so you can more quickly find the documents that you are looking for. 
#74C8 Thumbnails of true-color pictures can optionally be color-adjusted in the gallery. This option is meant for law enforcement users whose job is to review child pornography photos, to reduce the mental impact and stress level. If the checkbox for this option is fully checked, the thumbnails will appear in grayscale. If half checked, color swapping will take place in such a way that human skin will appear very unnatural.
#743E Keep track of which files were already viewed and flag them visually with a green background color around the tag. This is especially useful when reviewing hundreds or thousands of documents or pictures over a longer period, to avoid accidentially viewing the same documents multiple times. Rules set via the button to the right.
#6F68 To manually mark files as already viewed, you can press Alt in combination with the cursor keys. Alt+Left removes the mark. You can also right-click the tag area of a file in the directory browser to mark it as already viewed or to remove that mark.
#6F6B When identifying duplicate files based on hash values, if one of the files has been marked as already viewed, then this option marks the duplicates already viewed, too. Fully checked, if duplicates have been identified already when files are viewed, known duplicates within any open volume will also be marked as already viewed (potentially slow in conjunction with gallery). This option also applies to hard linked files in NTFS.
#6F66 Viewing a file is available via the context menu - or usually just by double-clicking it.
#7B66 For all kinds of editing operations you choose whether they should be reversible or not. If so, an internal backup is created before the operation takes place.
#7B64 Automatically created backups for the internal use with the Undo command are deleted by WHX/XWF when closing the file, if the corresponding option is fully selected. If it is partially selected, they are deleted when WHX/XWF terminates.
#7C68 Before modifications to an existing file are saved (i. e. before the file is updated), you are by default prompted for confirmation, but this behavior can be changed.
#7C69 If any of the operations for RVS or Search crash when processing a file, this option enables XWF when started next time to identify the file likely responsible for the crash. Fully checked, should RVS crash the program, restarting the program will also point out which suboperation exactly was applied to the problematic file(s) when the program crashed.There may be multiple candidates for the problematic file that triggered the instability if multiple worker threads were active at the time of a crash.
#7C6F Unchecked, only exception errors with a potentially serious impact (like considerably incomplete analysis results) will be brought to your attention in the Messages window. Fully checked, all of them will be output, even those that occur typically with corrupt files only and have no negative impact on other analysis results. The middle state is a reasonable compromise. Regardless of this option, exception errors will be noted in the error.log file.
#7C6B All notices and warnings output to the Messages window can optionally be automatically saved in a text file “msglog.txt” in the installation directory. If at that time a case is active, the notice/warning will be written to the msglog.txt file in the log subdirectory of that case instead. Fully checked, even messages in the Progress indicator window (descriptions of operations as well as names of processed files) are output. 
#7C67 Use the option Check for virtual memory changes to make sure the RAM editor inspects the structure of virtual memory every time before reading from or writing to it. If the structure has changed, a possible read error is prevented. Especially under Windows NT the checking may result in a loss of speed. When editing the "entire memory" of a process, WinHex generally never checks for alterations, even if this option is enabled.
#7C6A Active by default in XWF. Ensures that saving and editing files is only possible on certain drive letters, namely those that X-Ways Forensics even when examining a live system can assume are located on the examiner's own media. They are: 1) the drive letter that hosts the active case if one is active, 2) the drive letter with the directory for temporary files, 3) the drive letter from which X-Ways Forensics was run and 4) the drive letter that contains the directory for image files.
#7C6C The key that is required for encryption and decryption can be entered in a normal edit box. Optionally, you enter it blindly (asterisks are displayed instead of the actual characters). In this case you have to confirm the key in a second edit box to detect typos.
#7C6D By default, the key is kept in main memory (in an encrypted state) as long as WHX/XWF is running, so that you do not have to type it again and again if you use it several times. Possibly you prefer WHX/XWF to erase the key after use.
#7C0A Decide whether or not WHX/XWF shall prompt before executing a script, or only before executing a script via the command line.
#7C71 Optionally, checksums with multi-byte accumulators (16-bit, 32-bit, and 64-bit checksums) are computed byte-wise instead of adding units that are equivalent in size to the accumulator itself, e.g. 4 bytes for 32-bit checksums. Both variants exist in real life applications.
#1A21 If checked, search hits for identical search terms are merged and made accessible through the same item in the search term list. Useful when running multiple searches for the same search terms. Unchecked, always produces a new item in the search term list, even if the search term is identical to a previously used one. Useful, if you run searches with different settings, in order to be able to distinguish the resulting search hits later. 
#1A35 File slack can be specifically targeted (for all files or, if only half checked, for files that are not omitted) or ignored.
#1A2B Precondition: You are NOT interested in every search hit, but merely which files contain any hits at all. Speeds up the search by skipping the remainder of a file once the first hit has been recorded. Will obviously lead to incomplete search results, so not safe to assume that "the most useful" or the "most important" search hit in each file will be collected, nor will logical combinations of search results be possible. However, each file with at least one hit will be found. 
#1ABD Files that have been identfied as irrelevant by hash database matching (fully checked: any known files, i.e. including the notable) can be omitted from a logical search to save time and reduce the number of irrelevant search hits. The slack of such files is still covered if the option "Open and search files incl. slack" is fully checked, so that this option has a higher priority. If only half checked, the slack of such files is omitted, too.
#1ABE Files that have been excluded by the user can be omitted from a logical search to save time and reduce the number of irrelevant search hits. The slack of such files is still covered if the option "Open and search files incl. slack" is fully checked, so that this option has a higher priority. If only half checked, the slack of such files is omitted, too.
#1ABF Files that are filtered out by an active filter can be omitted from a logical search to save time and reduce the number of irrelevant search hits. The slack of such files is still covered if the option "Open and search files incl. slack" is fully checked, so that this option has a higher priority. If only half checked, the slack of such files is omitted, too.
#1AC0 E-mail archives (MBOX and DBX) and file archives (ZIP, RAR etc.) will not be searched if their respective child objects have  been included in the VS. In that case only those extracted e-mails and files will be searched, in their natural (unencoded and uncompressed) state. This may be reasonable for keyword searches and in particular for indexing, but not necessarily for technical searches for signatures etc. 
#6C33 Fully checked: existing and previously existing items are grouped, i.e. sorted separately. Half checked, even prev. existing items with question mark vs red X icons are grouped, i.e. a total of 3 groups. A small symbol with either one or two horizontal dividers indicates whether the list is split up into two or three groups, also in the header of the column that is the primary sort criterion.
#6C29 Double-clicking a directory will explore it. Double-clicking an ordinary file will view it. This option controls whether files with child objects will be typically viewed or explored on a double-click. If the checkbox is half-checked, you will be prompted.
#6D31 Files can optionally be opened and searched including their slack. The middle state of this checkbox makes a difference only for logical searches.
#6C3E Half or fully checked: The ".." item is listed at the top of the directory browser representing the parent directory. Fully checked: the "." item is also displayed, representing the currently explored directory, i.e. the one you are in.  Useful if for example you wish to see certain metadata (e.g. timestamps) of the parent object at the same time as metadata of its child objects, or to be able to select it for e.g. Details mode.
#6C34 Listing the root directory of a volume in the directory browser, in the root directory itself, actually, is kind of illogical, but can be very helpful to see that directory's timestamp (if any, depends on the file system) or to quickly navigate to its clusters (if any, also depends on the file system) or as another place where to quickly tag or untag all items in a volume.
#6C5F Listing the internal files of the file system is optional in the normal directory browser. This affects for example the various $* files in NTFS. Specifically in X-Ways Investigator those files are no longer listed as they are irrelevant to non-technical examiners (the target group of X-Ways Investigator) and might confuse them because they are not familiar with them from using ordinary high-level computer software.
#6C37 Listing subdirectories when exploring recursively is optional. They are not needed for navigation if already all files from all subdirectories are listed and may distract you when you are merely interested in viewing files. By default this option is half-checked. In this state, directories are listed when exploring recursively only if a filter is active that is applicable to directories, when actually applying filters to directories, too.
#6C3C That filters are applied to directories, too, is optional. Most often users employ filters to focus on certain files, not directories, and they may still need the directories listed in order to be able to navigate to the files of interest.
#6C3A The selection statistics are displayed below the directory browser. Computed recursively, they reveal how many subdirs, files and how much data are contained in the selected directories (or files with child objects), unless explored recursively already, taking any active filters into account. Disabled, the statistics consider direct selection only, without child objects. Half selected, the statistics take child objects of directories into account, but not child objects of files.
#6C2D Non-recursively means (un)tagging a file or directory in the directory browser has no effect on parent or child objects or parent directories or subdirectories. Recursively, it is not possible to have an untagged parent object whose child objects are all tagged. Half-checked means that child objects still inherit the tagged state from their parent at the moment when they are newly added to the volume snapshot, e.g. when you extract e-mail and attachment from a tagged e-mail archive. 
#6C27 Non-recursively means including/excluding a file or directory in the directory browser has no effect on parent or child objects or parent directories or subdirectories. Useful for example if all child objects of a file should be processed in volume snapshot refinement or searched, but not the parent object.
#6C31 Takes 4 to 6 times more time than the highly optimized standard Unicode sorting (noticeable when sorting millions of files), but has several useful settings and characteristics
#6B66 Special treatment of hyphens and apostrophes (they are treated differently from other nonalphanumeric characters to ensure that words such as "coop" and "co-op" stay together in a sorted list).
#6B67 Treat decimal digits as numbers, e.g. sort "2" before "10" (not useful for hexadecimal notation, available under Windows 7 and later only) 
#6B68 Treat half-width and full-width characters the same (full-width characters are sometimes used by East Asians when writing English language letters) 
#6B65 Ignore kana type (treat corresponding Japanese hiragana and katakana characters the same) 
#6B2D Sort search hits by their data and context instead of just by the search term. Makes a difference only for regular expressions that match variable data, so the sorting is by the actual data, as opposed to the more generic search expression. Continuing sorting by the text that follows the search hit if the hit data is the same will show identical or similar text passages next to each other. More characters means more memory is needed for sorting. 
#6C3B Optionally, after start-up, the directory browser can be not sorted at all, for performance reasons. That means the program will forget the last sort criteria in use last time. If selected, there will now also be no sorting when turning off all filters with a single mouse click, to avoid longer delays when suddenly all files are listed again recursively. 
#6C38 Directory browser settings (in particular column width, filter settings and sort orders) can be optionally stored in cases and reactivated when loading cases (if stored by a compatible version).
#6C3F Sender and Recipient columns will be included if at least one extracted e-mail message is in the visible portion of the directory browser, otherwise not. The columns with alternative timestamp can also be shown dynamically, i.e. only when items that have such timestamps in the volume snapshot are displayed in the visible portion of the directory browser. 
#6C2E The 1st sector column can optionally show physical start sector numbers for files in partitions (counted from the start of the physical disk or disk image) instead of logical start sector numbers, if the partition was opened from within the physical disk/disk image. In that case the column label contains a P in a circle (P for physical). Only for ordinary partitions, not Windows dynamic volumes or LVM2 volumes.
#6C39 An option exists to show the file type ranks in the Type status column, which also causes sorting by that column to sort by those ranks. Ranks are defined in the File Type Categories.txt file.
#6C26 A special file icon for pictures is available, very useful when your main focus is on such files. Depending on whether the check box is fully checked or half checked, symbols like question marks, arrows, scissors, hammers, etc. that further reveal the status of the file gets superimposed additional or not. If not, that is easier on the eye. You can still tell the exact deletion status from the Description column, and the rough deletion/existence status is still obvious from the contrast of the icon.
#6C20 Allows specifying rules according to which individual directory browser cells, or the entire row affected, or an entire column (regardless of individual entry values) are colored to make certain details stand out and be more easily noticed.
#D4DA Recognize evidence objects that are physical media (not images) by their own intrinsic properties, not by the Windows disk number. The advantage is that you may add multiple hard disks or external USB disks or sticks to the case that are attached to the computer at different times and get the same disk number assigned by Windows. Another advantage is that if the number of the same disk as assigned by Windows changes, X-Ways Forensics will still recognize the disk.
#D4D1 Case files can be password-protected. This does not involve encryption and is just a kind of lock. If the password is lost by a user, case files saved by X-Ways Investigator can be unlocked with a super-user password if such a password had already been entered in the installation used at the time when the case file was saved (undocumented on request).
#D4CD Optionally, the evidence object subfolders in the case folder are always suggested as default output folders for files recovered/copied off a file system. You may wish to disable that feature if your preference is to copy files from various evidence objects into the same output folder. 
#D4C9 You may enable or disable the automated log feature for the whole case.
#D563 Enabling this will mean that XWF tracks search results, RTAs etc. on a user-specific basis, thus allowing the options below. Not distinguishing between different users is useful if you only you will process that case and even if you process it on different computers where you have Windows accounts with different SIDs you will always be treated as the same user. Also useful if multiple examiners are going to process the same case at different times and wish to share all their results directly.
#D564 Another multi-user support option coordinates certain kinds of accesses to volume snapshots (related to adding items to the snapshot as well as editing comments and metadata) more carefully. It may have some performance benefits if disabled. Disabling this synchronization is recommendable only for cases that are definitely only processed by 1 user at a time.
#D565 XWF remembers the "tagged", "already viewed" and "excluded" status of files separately for each examiner. Adopt the "already viewed" status of files in volume snapshots from all other examiners when opening evidence objects to avoid duplicate work, if you do not wish to review files that were reviewed by any of your colleagues already. Individual file statuses (tagged, etc) and search hits of other users are lost if one examiner removes items from the VS.
#D56F Shared analysis mode can be useful even for the first of many simultaneous users that open the same case because only in that mode newly created labels are shared out to other simultaneous users at regularly intervals (depending on the case auto-save option). 

Can alternatively achieved by checking the [x] Options when opening a case.
#D568 Choose whether or not users get to see labels of other users or only their own associations (or, if half checked, only their own associations plus those of unknown users). The same file can be assigned the same label only by 1 examiner.
#D569 Half-checked, initials are showing in the directory browser only; fully checked, it also applies to Export List, Recover/Copy, or the Case Report.
#907E Fully checked: force decomposition of V1 GUIDs into timestamp, sequence number and MAC address; half-checked: only do so, if the timestamp is not too implausible; unchecked: never decompose, always show in format like {E0FFD8FF-1000-464A-4946-000102000001}
#6E33 Existing and previously existing volume shadow copy host files are checked for valuable information that would not be available otherwise, such as files that cannot be found in the current $MFT any more or previous versions of files whose contents have changed. Those files will be reconstructed up to 1 GB in length according to the shadow copy. Processing of volume shadow copies, if any, occurs before all the other operations that are part of the particularly thorough file system data structure search.
#6E3B Avoid that previous versions of files if they are exact duplicates (identical file contents) so that it is much easier to focus on files for which actually previous data is still available. Even if modification dates are different, the file contents are often the same for files installed by the operation system. Fully selected, XWF will compare files up to 128 MB, if half selected, only up to 16 MB, as to not waste too much time on this feature.
#6E39 FILE records can be optionally searched everywhere, in sectors that neither belong to the current MFT nor to a volume shadow copy (VSC) processed by the above-mentioned option. Such FILE records can be found e.g. in free space after a partition has been recreated, reformatted, moved, resized, or defragmented. Time consuming on very large partitions. 
#6E34 Current $LogFile and old versions of $LogFile found in VSC can be exploited. The contents of deleted files can often be reconstructed thanks to $LogFile. Index record remnants in $LogFile can be exploited that either reveal previous names or paths of renamed/moved files/directories that were known to the volume snapshot before or deleted files that the volume snapshot was not aware of before.
#6E40 You can indicate whether you are interested in earlier names and paths of renamed/moved files and directories or not. If the checkbox for earlier names/paths is half checked, you may find earlier names/paths of renamed/moved files in the Metadata column and don't get additional files in the volume snapshot for each earlier name/path.
#6E3F You can also indicate whether you are interested including traces of files in the volume snapshot whose clusters are unknown and for which only name, size, timestamps and attributes are available.
#6C28 File counts can optionally be displayed in the directory browser at the end of the names of directories and files with child objects. If fully checked, that will happen also in the directory tree in the Case Data window.
#6C2A By default, the Path column displays a partial path from the current exploration base when exploring recursively. If fully checked, a partial path starts with the subdirectory name. If half checked, it starts with ...\ to point out the omission.
#57BD Fully ticked, even known notable files will be omitted - as they are known to be notable, further processing may well not be required.
#57BF Please ensure, if using this option, that only the files you truly wish to not see processed are currently filtered out!
#577D Instead of processing only the current volume snapshot, extend the processing across multiple, or indeed all, volumes in the case.
#5763 If enabled, certain previously valid timestamps of files are output as events during various suboperations of the particularly thorough file system data structure search on NTFS, which may also effect other operations whose primary purpose is not the retrieval of timestamps/events. (See "Extract internal metadata, browser history and events" for the regular event provision functions.)
#57C0 See Description column "Hard link" and "Hard link, optionally omitted" for files affected.
#7327 The Sector reading cache accelerates sequential disk access by the disk editor. This option is recommended particularly when scrolling through CD-ROM and floppy disk sectors, since the number of necessary physical accesses is significantly reduced.
#7357 For the most complete dark screen experience you would change your entire Windows system to a dark theme. The easiest way to achieve that not only for "apps", but also real desktop applications, is to activate the black high contrast theme. In Windows 10 you would go to PC Settings | Personalization | Settings for high contrast | Activate high contrast | Contrast black.
#2F2D Fully/half checked: different symbols in Existent column represent existing/prev. exist./virtual. Not checked: uses words yes/no/virtual instead.
#2F3C If the Created date is greater (read: later) than the Modified date, then the file was likely copied in Windows, which creates this precise situation. This option adds the word "copied" to the Description to illustrate this fact.
#6C25 Use checkmarks instead of squares for tagging. Alternatively, use buttons on the right to define color gradient for the squares.
#6C78 Flex Filters can target any column in the ordinary directory browser that the user wishes to focus on, with an arbitrary number of substrings, and they can be combined with a logical OR or a logical AND. So this makes them the only filters that can be combined with one another with a logical OR.
#6D5B A user-designated copy of the FAT table can be used, or otherwise the one that is defined as active in the boot sector (in case of FAT32). If neither the user selects a copy nor the boot sector defines a single copy as active, the first copy will be used, labelled as "FAT 1". 
#6D35 Allows running a more in-depth parsing of deleted directory entries during the initial creation of the volume snapshot, even if they are misaligned in relation to the current directory entries. This might find additional previously existing files in Ext, at a likely manageable risk of finding some garbage entries as well.
#6D41 Newly discovered names (e.g. e-mail subject lines of original .eml files or names of files in iPhone backups) can become the main filenames in a volume snapshot (and thus also potentially part of paths if they have child objects), so that the original names as per the file system becomes alternative names, or they can become the alternative names themselves, displayed in a lighter color after the main names in square brackets as additional information.
#6D43 Assigns all fragmented files in a newly created volume snapshot a special label.
#6D3B Convert certain RTF-formatted e-mail bodies from Outlook e-mail archives to plain UTF-8 (when extracting e-mails) to be able to better view generated .eml files in external e-mail clients and to allow for the alternative .eml preview.
#6D42 Alternative interpretation of extended timestamps has an effect when including the contents of file archives in the volume snapshot.
#6E35 Similar to the procedure for FAT. Checks the entire volume for previously existing directory structures whose contents are no longer known from corresponding inodes (these would have been looked at as part of the regular volume snapshot already). Such directories are listed with a generic name, usually in "Path unknown", but potentially in the root directory, if that is where they existed previously.
#6E32 Certain previously existing files that otherwise would be presented only with file system metadata and no contents can be associated with data using the Ext3/Ext4 journal.
#5772 FAT: Searches for orphaned subdirectories that are no longer referenced by any other directory.

Btrfs: Searches for orphaned nodes of the FS tree.

Ext/NTFS: see suboptions
#D4D0 Automatically verify the hash value when adding an image to a case, if such a hash value is present, or (if the checkbox is fully checked) to compute the hash value from scratch if the image doesn't have one.
#D566 To view all the results of a colleague (labels, search hits, tag marked, already viewed status of files, exclusion status of files), you can open the case in read-only mode as him or her. For that, try the "Options..." checkbox when opening a case. Disabling this option prevents your colleagues from opening the case in read-only mode as you. 
#747D To use OCR, the path to the Tesseract package (available from X-Ways downloads) needs to be set here.
#74D2 Determines whether selecting a directory in Preview should attempt displaying a full subdirectory tree from there, and if so, which details to include.
#74D5 Listing the individual files within a directory tree preview might take a very long time - and just getting a list of the files in a directory could be much more easily achieved by just looking at the file listing in the directory browser instead.
#74D6 Exif orientation instructions (for picture rotation and/or flipping) can be either applied strictly (fully checked) or only when X-Ways Forensics determines that they still need to be applied.
#6F65 Viewing files with Preview counts as "already viewed" only after an optional delay. 
#6F69 Once a file is known to be irrelevant, it is no longer worth viewing, so might as well be treated as "already viewed" - or rather, already judged without viewing.
#6F6A Literal viewing of a zero byte file is a rather meaningless operation. Treat them as already viewed for this reason.
#9087 Parses 16 bytes and displays them in a form like either {E0FFD8FF-1000-464A-4946-000102000001} or parses them further to decompose them into MAC address and timestamp, if possible, depending on the option to the right.
#7C72 Certain metadata about large .e01 evidence files is kept in separate .xmet files to speed up reopening in XWF next time. Fully checked, .xmet file is stored in the same directory as the image, benefits other cases/users as well. Half checked, .xmet file is stored in the evidence object's metadata directory of the current case; use the latter if the image is stored on a write-protected drive.
#7C64 If an .e01 evidence file that found to have very inefficient layouts (less than 32 chunks per table section or compressed chunks with a compression ratio of less than 0.1%), that is brought to the users attention so that they can avoid whatever software or hardware created that image.
#7C65 Whether a password verification hash for .e01 evidence files created with 256-bit AES encryption is included in the .e01 evidence file or not is up to you to decide. The hash allows X-Ways Forensics to check whether the password that you enter when opening such an image is correct.
#7C66 The CRCs in .e01 chunks can be automatically checked on the fly when chunks are read, and any discrepancies will be reported in the Messages window. This costs a little computing power.
#1A2A For full regular expression rules, see "Search Options" in the program help.
#1A22 Case sensitive search; with additional option on the right, only for those search terms that start with case: at the beginning of the line.
#1A76 Allows e.g. treating accented characters like é as their non-accented equivalent, by creating adjustment rules like é>e. Character adjustments are *always* case-sensitive, even if the rest of the search is not. To have upper case adjustments as well, additional lines for the upper-case equivalent are needed.
#1AC7 In current Windows installations often between 10,000 and 100,000 hard links of system files exist. Searching only one hard link per file, typically omits several GB of duplicate data and yet nothing is missed. Optionally omitted hard links are identified as such in the Description. Search hits in hard links are marked "-> Links!" in the Descr. column to remind you of the other hard links of the same file in case those search hits are relevant. 
#1A89 Apply search to various metadata of files in addition to the file contents; specifically, to any selected directory browser column such as Name, Author, Sender, Recipients or Metadata (see button on the right), otherwise individually searchable by filters, of course. 
#6C08 Align path at left or right hand edge of column
#7044 In order to overrule the regular sort order (by ev. obj. and int. ID = by Unique ID), first list all (!) items and sorting as desired in the case root window and select this option
#7043 Sorting by evidence object and int. ID = sorting by Unique ID
#704F fully checked: thumbnails replace pictures outright; half checked: pictures are copied and linked from thumbnails if appropriate option chosen above
#7048 e.g. full EXIF parsing instead of metadata digest
#74CF For Preview purposes, this can be changed on the fly by clicking "VC" button while in Preview
#7474 Unlike regular text included in spreadsheets (which can be searched by simply using the "Decode text" option in the search, like for other document types), numbers and dates are stored as binary data in spreadsheets. If a search uses dates or numbers as search terms and hits in spreadsheets are potentially of interest, this option makes numbers in spreadsheets text for search purposes.
#BD2C E: encrypted at filesystem level
e: encrypted in archive (whose password was not found)
e!: file type specific encryption (pw protection/DRM)
#BD2D high entropy, possibly fully encrypted
#BD2E NTFS Reparse points (also used for WofCompression)
#BD2F NTFS Alternate Data Stream
#BD3D Resource Forks in HFS+/HFS
#BD30 NTFS attributes Logged Utility Stream, Index or Bitmap
#BD36 Extended Attribute
#BD31 compressed in an archive
#BD32 C: Compressed by the file system
~: sparse storage
#BD33 Offline attribute
#BD34 Temporary
#BD35 Have Object ID
#BD37 Hidden
#BD38 Contents only partially initialized
#BD39 Found in shadow copy
#BD3A Prev. version found in shadow copy
#BD6F Linux/Unix "Set User ID"
#BD6E Linux/Unix "Set Group ID"
#BD6D Sticky bit set
#BD61 Any of the above set Unix permissions will suffice
#BD62 All of the above set Unix permissions required 
#BD63 Exactly the above set permissions and no others
#BD3B Symbolic links refer to other files/directories by name and (optionally) path
#BD3C Special files can be:
b - block device file (storage devices, partitions, etc.)
c - character device file (e.g. audio devices, keyboard, mouse, etc.)
p - officially called FIFO, commonly known as a "named pipe"; used for process communication
s - Socket, alternatively used for process communication
#BD3E Found via Journal
#6C24 Multiple filters are usually AND combined (to show only items that match all currently active filters); enabling OR filtering changes that to show any items that match at least one of the currently active filters.
#2FC9 Half selected: adds more specific description, particularly for child objects, which can be identified as still images, attachments, alternate data streams, etc, as appropriate. Full check would add "file" and "directory" a lot.
#2FCE Shows internal refinement state for each file:
[Emb]: checked for embedded data to uncover
[Arc]: file archive checked for content
[Enc]: encryption test already performed
[Ext]: e-mail or e-mail archive checked for extractable content
[Met]: checked for internal metadata
[Xtn]: created by an X-Tension
#2FCD Refers to details like "extracted text", "with attachment" or "file contents unknown"
#6F0A Choose a different first color for the "already viewed" color gradient
#6F0B Choose a different second color for the "already viewed" color gradient
#D4D9 Each case gets its own subdirectory !temp - this option controls whether that one or the generic temp (set in General Options) is to be used for this case.
#D4DE Each case gets its own subdirectory !images - this option controls whether that one or the generic Images (set in General Options) is to be used for this case; when activated, a different case specific directory can be specified in the box below.
#D4CC Activity logging using screenshots (full check) vs a text representation (half check): the text representations are more space efficient, but also searchable, copy/paste capable and never limited by visual space, i.e. nothing is cut off by scrollbars etc.