Shellbags
What is Shellbags?
ShellbagsRegistry keys that store per-user Windows Explorer folder-view settings and serve as forensic evidence that a specific user viewed a specific folder, including removable and network paths.
Shellbags are subkeys under HKCU\Software\Microsoft\Windows\Shell\Bags, BagMRU, and the corresponding UsrClass.dat hive that record window position, view mode, and sort order for every folder a user opens in Explorer. Each entry contains MFT-like timestamps and a ShellItem ID list pointing to the path, including encrypted volumes, ZIP archives, network shares, and removable media that may no longer be attached. Investigators use shellbags to prove a user opened a directory, demonstrate knowledge of a particular file location, and reconstruct historical folder structures of wiped USB drives. Tools include ShellBagsExplorer (Eric Zimmerman), RegRipper plugins, and KAPE modules.
● Examples
- 01
Showing a user navigated to an external USB folder named exfil_2024 even after the drive was destroyed.
- 02
Proving access to a network share \\fileserver\HR$\Salaries during an insider-threat investigation.
● Frequently asked questions
What is Shellbags?
Registry keys that store per-user Windows Explorer folder-view settings and serve as forensic evidence that a specific user viewed a specific folder, including removable and network paths. It belongs to the Forensics & IR category of cybersecurity.
What does Shellbags mean?
Registry keys that store per-user Windows Explorer folder-view settings and serve as forensic evidence that a specific user viewed a specific folder, including removable and network paths.
How does Shellbags work?
Shellbags are subkeys under HKCU\Software\Microsoft\Windows\Shell\Bags, BagMRU, and the corresponding UsrClass.dat hive that record window position, view mode, and sort order for every folder a user opens in Explorer. Each entry contains MFT-like timestamps and a ShellItem ID list pointing to the path, including encrypted volumes, ZIP archives, network shares, and removable media that may no longer be attached. Investigators use shellbags to prove a user opened a directory, demonstrate knowledge of a particular file location, and reconstruct historical folder structures of wiped USB drives. Tools include ShellBagsExplorer (Eric Zimmerman), RegRipper plugins, and KAPE modules.
How do you defend against Shellbags?
Defences for Shellbags typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Shellbags?
Common alternative names include: Shell Bags, BagMRU.
● Related terms
- forensics-ir№ 568
Jump Lists
Per-application history files keyed by Windows AppID that record the recent files and tasks a user opened, providing strong evidence of file access tied to a specific program.
- forensics-ir№ 043
Amcache.hve
A Windows registry hive that records detailed metadata about every executable that has run or been present on a system, including SHA-1 hashes, providing strong execution evidence on modern Windows.
- forensics-ir№ 850
Prefetch Files
Windows .pf files in C:\Windows\Prefetch that record process startup data and provide strong forensic evidence that an executable ran on a system.
- forensics-ir№ 677
MFT (Master File Table)
The core NTFS metadata structure that stores one 1024-byte record per file or directory on a volume, anchoring nearly all Windows file-system forensics.
- forensics-ir№ 001
$UsnJrnl ($J)
The NTFS Update Sequence Number change journal that records every file-system operation, giving forensic investigators a high-resolution timeline of file creation, modification, and deletion.