ShellBags — Folder Access History | Forensic Artifacts

ShellBags are one of the most persistent and underappreciated forensic artifacts in Windows. They record every folder a user has ever viewed in Windows Explorer — including folders on USB drives that have been disconnected, network shares that no longer exist, and directories that have been deleted. Even after a folder is removed from disk, the ShellBag entry proving the user navigated to it persists indefinitely in the registry.

What Are ShellBags?

ShellBags are registry entries that Windows creates to store the user’s Explorer shell preferences for each folder they visit. When a user opens a folder in Explorer, Windows records the folder’s view settings (icon size, sort order, column layout), window position, and window size. These preferences are stored so that the next time the user visits the same folder, Explorer restores their preferred view. The forensic value is not in the view settings themselves, but in the fact that Windows must record the folder path to store the preference — creating an indelible record of folder navigation.

The ShellBag data is stored as binary registry values organized in a tree structure under BagMRU and Bags keys. The BagMRU tree mirrors the folder hierarchy: each node represents a folder, and its binary value contains a Shell Item structure that encodes the folder name, timestamps, and metadata. The Bags keys store the actual view preferences (icon size, sort order, etc.) indexed by a NodeSlot number that links back to the corresponding BagMRU entry.

ShellBags are created on Windows XP and all later versions. The storage location shifted between Windows XP (primarily in NTUSER.DAT) and Windows 7+ (primarily in UsrClass.dat), but both hives should be analyzed. The artifact persists across reboots, survives folder deletion, and is not targeted by any widely deployed consumer cleanup tool.

Why ShellBags Persist

ShellBags are never automatically pruned by the operating system. Windows has no garbage collection for orphaned ShellBag entries — if a user viewed a folder on a USB drive in 2022 and the USB drive was never connected again, the ShellBag entry remains in the registry indefinitely. This makes ShellBags one of the longest-retention artifacts on a Windows system, often spanning the entire lifetime of the user profile.

Location & Format

Component	Path	Description
UsrClass.dat (primary, Win 7+)	`C:\Users\{user}\AppData\Local\Microsoft\Windows\UsrClass.dat`	Primary ShellBag location on Windows 7/8/10/11; contains `Local Settings\Software\Microsoft\Windows\Shell\BagMRU` and `Bags`
NTUSER.DAT (secondary)	`C:\Users\{user}\NTUSER.DAT`	Secondary location; contains `Software\Microsoft\Windows\Shell\BagMRU` and `Bags`; also `Software\Microsoft\Windows\ShellNoRoam\BagMRU` on XP
UsrClass.dat logs	`UsrClass.dat.LOG1`, `.LOG2`	Transaction logs with uncommitted writes; may contain most recent ShellBag entries

BagMRU Tree Structure

The BagMRU registry key contains a hierarchical tree of binary values. The root BagMRU key represents “Desktop.” Each subkey (numbered 0, 1, 2, etc.) represents a child folder. The binary data in each subkey’s default value is a Shell Item (also called SHITEMID) structure that encodes:

Folder name — The short (8.3) and long folder name
MAC timestamps — Created, Modified, and Accessed timestamps of the folder at the time of first navigation
Shell Item type — Identifies the item as a folder, drive root, network share, ZIP archive, Control Panel item, etc.
MFT entry/sequence — On some Windows versions, the $MFT entry number and sequence number of the folder are embedded, providing a direct link to the file system metadata

Each BagMRU subkey also contains a NodeSlot value (DWORD) that maps to the corresponding Bags\{NodeSlot} key where the view settings are stored. The Bags\{NodeSlot}\Shell key contains values like Rev, FFlags, Mode, Vid, ColInfo, and Sort that define the Explorer view preferences. The MRUListEx value in each BagMRU node records the most-recently-used order of child folders.

REGISTRY TREE / EXAMPLE

UsrClass.dat
Local Settings\Software\Microsoft\Windows\Shell\BagMRU
    (default) = Shell Item for Desktop
    MRUListEx = 01 00 00 00 00 00 00 00 FF FF FF FF
    \0         = Shell Item for "This PC"
        \0     = Shell Item for "C:\"
            \0 = Shell Item for "Users"
            \1 = Shell Item for "Windows"
        \1     = Shell Item for "D:\" (USB drive, volume label "SANDISK_USB")
            \0 = Shell Item for "Client_Data"
            \1 = Shell Item for "Backups"
    \1         = Shell Item for "\\FILESERVER01"
        \0     = Shell Item for "Projects"
        \1     = Shell Item for "HR_Confidential"

Reading the Tree

The tree above shows the user navigated to D:\Client_Data and D:\Backups on a USB drive labeled SANDISK_USB, as well as \\FILESERVER01\Projects and \\FILESERVER01\HR_Confidential on a network share. Even if the USB drive is disconnected and the network share is decommissioned, these ShellBag entries persist indefinitely.

What It Reveals

ShellBags answer investigative questions that few other artifacts can address:

Which folders did the user navigate to in Explorer? — Every folder viewed in Explorer creates a ShellBag entry. The complete tree reconstructs the user’s navigation history.
Did the user browse folders on removable media? — ShellBag entries for USB drives, external hard drives, and optical media persist after the media is disconnected. Volume labels and drive letters are recorded.
Did the user access network shares? — UNC paths (\\server\share\folder) create ShellBag entries. The server name, share name, and subfolder hierarchy are all recorded.
When did the user first navigate to a folder? — The BagMRU key’s last-write timestamp indicates when the ShellBag entry was created or last updated. The embedded Shell Item timestamps capture the folder’s MAC timestamps at the time of navigation.
Did a folder exist that has since been deleted? — ShellBag entries survive folder deletion. If a user created a directory called C:\Staging\Exfil, navigated to it, then deleted it, the ShellBag entry proves the directory existed.
What was the folder hierarchy on a removable device? — ShellBags reconstruct the complete directory tree the user browsed on external media, even if the device cannot be recovered.
Did the user browse ZIP/archive contents? — Windows Explorer treats ZIP files as folders. Navigating into a ZIP archive creates ShellBag entries for the archive’s internal folder structure.
In what order were folders visited? — The MRUListEx value records the most-recently-used order of child folders at each level, providing a navigation sequence.

Proof of Navigation, Not File Access

ShellBags prove the user navigated to a directory in Explorer. They do not prove the user opened a specific file within that directory. To prove file access, correlate ShellBag entries with Jump Lists (which record file opens), RecentDocs (MRU file lists), or $UsnJrnl (file system operations). ShellBags show where the user went; other artifacts show what they did there.

Forensic Use Cases

1. USB Data Staging and Exfiltration

An employee under investigation for IP theft denies ever using a USB drive at their workstation. ShellBags in UsrClass.dat show a complete directory tree browsed on drive E:\ with volume label KINGSTON_32GB: E:\Client_Data\, E:\Client_Data\Contracts\, E:\Client_Data\Financials\, and E:\Client_Data\Source_Code\. The ShellBag timestamps show navigation over a 45-minute window on the employee’s last day. The USB device is not in the company’s possession, but ShellBags reconstruct the folder structure the employee created on it. Cross-referencing with SYSTEM\MountedDevices and setupapi.dev.log confirms the Kingston device serial number.

2. Network Share Reconnaissance

During a lateral movement investigation, ShellBags reveal the attacker (using a compromised user account) navigated to \\DC01\C$\, \\DC01\C$\Windows\NTDS\, \\SQLSERVER\C$\Program Files\Microsoft SQL Server\, and \\FILESERVER\Finance\. This navigation pattern is consistent with a threat actor performing Active Directory reconnaissance (targeting ntds.dit), database server enumeration, and sensitive data discovery. The ShellBag timestamps establish the order and timing of the reconnaissance, which can be correlated with network logon events (Event ID 4624 Type 3).

3. Deleted Staging Directory

An attacker created a directory C:\ProgramData\Updates\Stage\ to collect files before exfiltration, then deleted the directory after completing the operation. The directory no longer exists on disk and does not appear in the $MFT (the MFT record has been reallocated). However, the ShellBag entry for C:\ProgramData\Updates\Stage\ persists in the user’s UsrClass.dat, proving the directory existed and the user navigated to it. The embedded Shell Item timestamps capture when the directory was created.

4. Removable Media Forensics Without the Device

In a child exploitation investigation, the suspect claims they never stored prohibited material on removable media. ShellBags contain entries for F:\Images\{folder_name}\ on a volume labeled SECURE_USB. The directory names and hierarchy are fully reconstructable from the ShellBag tree, providing evidence of folder structure even though the USB device has been destroyed. The ShellBag timestamps provide the time window of navigation.

5. ZIP Archive Browsing Evidence

A user received a ZIP file via email, browsed its contents in Explorer (without extracting), then deleted the ZIP file. The ZIP file is gone from disk and the Recycle Bin. However, ShellBags record the internal folder structure of the ZIP archive as if it were a regular directory tree. The investigator can prove which folders inside the archive the user navigated to, establishing awareness of the archive’s contents.

Shell Item Types

The binary Shell Item (SHITEMID) structures stored in BagMRU values come in several types, each encoding different metadata:

Type	Indicator	Embedded Metadata	Forensic Notes
Root Folder	Class type `0x1F`	Known folder GUID (Desktop, This PC, Recycle Bin, Control Panel)	Identifies the root of the navigation tree
Volume (Drive)	Class type `0x2F`	Drive letter	Appears for local drives, mapped drives
File Entry	Class type `0x30`–`0x3F`	Short name, long name, created/modified/accessed timestamps, file size, MFT entry/sequence	Most common type; contains the richest metadata
Network Location	Class type `0x40`–`0x4F`	UNC path (`\\server\share`), network provider	Proves network share access; server name persists after share removal
ZIP/Compressed Folder	Class type `0x52`	Archive path, internal folder name	Explorer treats ZIP files as folders; browsing inside creates ShellBag entries
FTP Location	Delegate item	FTP server hostname, path	Explorer FTP navigation (legacy) creates ShellBag entries

Timestamp Interpretation

The timestamps embedded in Shell Item structures are snapshots captured at the time the ShellBag entry was created. They reflect the folder’s MAC timestamps on the file system at the moment of navigation — not the time the user navigated to it. The registry key’s last-write timestamp is the best indicator of when the user actually visited the folder. Use both: the Shell Item timestamps for folder metadata, and the registry key timestamp for navigation timing.

Acquisition Methods

Collection Warning

UsrClass.dat is locked by the operating system while the user is logged on, just like NTUSER.DAT. Use Volume Shadow Copy, forensic imaging, or raw-disk copy. Always collect both UsrClass.dat (primary ShellBag location on Win 7+) and NTUSER.DAT (secondary location) along with their transaction logs (.LOG1, .LOG2). Incomplete collection means incomplete ShellBag data.

Live System — Volume Shadow Copy

CMD / ADMIN

:: Create a Volume Shadow Copy
vssadmin create shadow /for=C:

:: Copy UsrClass.dat and transaction logs
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Users\jdoe\AppData\Local\Microsoft\Windows\UsrClass.dat C:\Evidence\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Users\jdoe\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 C:\Evidence\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Users\jdoe\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 C:\Evidence\

:: Also collect NTUSER.DAT for secondary ShellBag data
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Users\jdoe\NTUSER.DAT C:\Evidence\

Live System — KAPE Collection

CMD / ADMIN

:: KAPE target for registry hives (includes UsrClass.dat and NTUSER.DAT)
kape.exe --tsource C: --tdest C:\Evidence\KAPE_Output --target RegistryHives

:: Velociraptor collection
:: Artifact: Windows.KapeFiles.Targets with target "RegistryHives"
:: Or: SELECT * FROM glob(globs="C:/Users/*/AppData/Local/Microsoft/Windows/UsrClass.dat*")

Forensic Image — Direct Extraction

BASH / FORENSICS

# Mount forensic image read-only
mount -o ro,noexec,nodev /dev/sdb1 /mnt/evidence

# Extract UsrClass.dat for all users
for user in /mnt/evidence/Users/*/; do
    uname=$(basename "$user")
    mkdir -p /analysis/shellbags/"$uname"
    cp "$user"AppData/Local/Microsoft/Windows/UsrClass.dat* /analysis/shellbags/"$uname"/ 2>/dev/null
    cp "$user"NTUSER.DAT /analysis/shellbags/"$uname"/ 2>/dev/null
done

Parsing Tools & Analysis

Tool	Author	License	Output	Notes
ShellBags Explorer	Eric Zimmerman	Free	GUI	Industry standard; tree view of ShellBag hierarchy; timeline view; transaction log replay
SBECmd	Eric Zimmerman	Free	CSV	CLI companion to ShellBags Explorer; batch processing for multiple hives
RegRipper (shellbags plugin)	Harlan Carvey	Open source	Text	RegRipper `shellbags` and `shellbags_tln` plugins for timeline output
python-registry + ShellItems	Will Ballenthin	Open source	Python API	Programmatic Shell Item parsing for custom analysis
Autopsy	Sleuth Kit	Open source	GUI	Built-in ShellBag parser in Recent Activity module

Parsing with SBECmd

CMD / FORENSICS

:: Parse UsrClass.dat to CSV
SBECmd.exe -d C:\Evidence --csv C:\Analysis\ShellBags

:: Parse a single hive
SBECmd.exe --hive C:\Evidence\UsrClass.dat --csv C:\Analysis\ShellBags

:: Output columns include:
::   AbsolutePath, CreatedOn, ModifiedOn, AccessedOn,
::   MFTEntryNumber, MFTSequenceNumber, ShellType,
::   Value, NodeSlot, LastWriteTime, BagPath

Analysis Script — Removable Media and Network Share Detection

PYTHON / ANALYSIS

import pandas as pd

df = pd.read_csv('/analysis/ShellBags/SBECmd_Output.csv')

# Filter for removable media paths (drive letters beyond C:)
removable = df[df['AbsolutePath'].str.match(r'^[D-Z]:\\', na=False)].copy()

# Filter for network share paths
network = df[df['AbsolutePath'].str.startswith('\\\\', na=False)].copy()

print('=== REMOVABLE MEDIA PATHS ===')
for _, row in removable.iterrows():
    print(f'  {row["LastWriteTime"]:<22} {row["AbsolutePath"]}')

print('\n=== NETWORK SHARE PATHS ===')
for _, row in network.iterrows():
    print(f'  {row["LastWriteTime"]:<22} {row["AbsolutePath"]}')

Sample Output

OUTPUT

=== REMOVABLE MEDIA PATHS ===
  2026-03-18 22:15:00    E:\Client_Data
  2026-03-18 22:18:00    E:\Client_Data\Contracts
  2026-03-18 22:23:00    E:\Client_Data\Financials
  2026-03-18 22:31:00    E:\Client_Data\Source_Code
  2026-03-18 22:45:00    E:\Backups

=== NETWORK SHARE PATHS ===
  2026-03-15 14:02:00    \\FILESERVER01\Projects
  2026-03-15 14:05:00    \\FILESERVER01\Projects\ClientA
  2026-03-16 21:30:00    \\FILESERVER01\HR_Confidential
  2026-03-16 21:32:00    \\FILESERVER01\HR_Confidential\Exec_Comp
  2026-03-17 02:14:00    \\DC01\C$\Windows\NTDS

Retention & Persistence

Property	Behavior
Retention period	Indefinite — no automatic pruning or garbage collection exists
Survives reboot	Yes
Survives folder deletion	Yes — ShellBag entries persist after the target folder is deleted from disk
Survives media disconnection	Yes — entries for USB drives and network shares persist indefinitely after disconnection
Survives application uninstall	N/A (ShellBags track folder navigation, not application execution)
Survives OS upgrade	Generally yes; in-place upgrades preserve user profile hives
Growth over time	ShellBag count grows monotonically — entries are added but never automatically removed
Typical entry count	Active users may have hundreds to thousands of ShellBag entries accumulated over the profile’s lifetime

Retention Note

ShellBags are among the longest-retention artifacts on a Windows system. On a user profile that has been active for several years, the ShellBag tree may contain thousands of entries spanning the entire period. This makes ShellBags particularly valuable in cases where the incident timeline extends months or years into the past and other artifacts (event logs, Prefetch) have rolled over.

Anti-Forensics Resilience

ShellBags are highly resilient to anti-forensics activity. They are stored in a system-protected registry hive that is locked while the user is logged on, and no widely deployed consumer cleanup tool targets them.

Tool	Clears ShellBags?	Explanation
CCleaner	No	No ShellBag module; does not target UsrClass.dat or BagMRU/Bags keys
BleachBit	No	No ShellBag cleaner exists in any version
Privacy Eraser	No	Does not target ShellBag registry locations
Windows Disk Cleanup	No	System cleanup does not target user registry hives
“Clear activity history”	No	Windows privacy settings do not clear ShellBag data
SDelete / cipher /w	No	Cannot target locked registry hive files
Manual registry deletion	Possible but rare	User must know the exact BagMRU/Bags key paths in two separate hives; deleted keys may be recoverable from unallocated hive space
ShellBag cleaner tools	Partial	Niche tools like “Shellbag Analyzer & Cleaner” exist but are extremely uncommon; may not clean both hive locations

Why ShellBags Survive

ShellBags are stored in UsrClass.dat, a hidden system file in a deeply nested AppData path. The BagMRU/Bags key structure is undocumented binary data that appears meaningless in a standard registry editor. No consumer cleanup tool (CCleaner, BleachBit, Windows Disk Cleanup, Windows privacy settings) has ever included a ShellBag cleaning module. Even forensically aware adversaries who clear event logs, browser history, and Prefetch almost never address ShellBags because the artifact is obscure and the data is not human-readable without specialized parsing tools.

MITRE ATT&CK Detection Mapping

ShellBag data provides evidentiary support for detecting the following MITRE ATT&CK techniques:

Technique	Name	ShellBag Evidence
`T1083` T1083	File and Directory Discovery	ShellBag entries prove the user navigated through directory structures; breadth and depth of navigation indicates reconnaissance
`T1005` T1005	Data from Local System	ShellBag entries for sensitive local directories (e.g., `C:\Users\{admin}\Documents\`, `C:\ProgramData\`) prove navigation to data collection targets
`T1039` T1039	Data from Network Shared Drive	UNC paths in ShellBags prove navigation to network shares; server names and share paths are recorded
`T1135` T1135	Network Share Discovery	ShellBag entries for administrative shares (`\\server\C$`, `\\server\ADMIN$`) prove share enumeration
`T1074` T1074	Data Staged	ShellBag entries for staging directories on removable media or temporary folders prove data staging activity
`T1052` T1052	Exfiltration Over Physical Medium	ShellBag entries for removable media drive letters with folder hierarchies prove data was organized on external storage

Related Artifacts & Cross-References

Corroborating Artifacts

Artifact	Relationship to ShellBags	Cross-Correlation Value
Jump Lists	Records files opened per application	ShellBags prove folder navigation; Jump Lists prove file access within those folders
NTUSER.DAT (TypedPaths)	Paths manually typed into Explorer address bar	TypedPaths proves intentional navigation; ShellBags capture subsequent folder browsing
LNK Files	Shortcuts created by file access	LNK files record specific file targets; ShellBags record directory navigation context
$MFT	File system metadata with timestamps	Shell Item MFT entry/sequence numbers in ShellBags can be cross-referenced with $MFT records
MountPoints2 (NTUSER.DAT)	Mounted volumes and network shares	MountPoints2 proves a volume was mounted; ShellBags prove which folders within it were navigated
SYSTEM\MountedDevices	Maps volume serial numbers to device identifiers	ShellBag drive letter entries + MountedDevices = specific physical device identification
setupapi.dev.log	Device installation history	Confirms when USB devices were first connected; ShellBags show subsequent folder navigation on those devices

References

Eric Zimmerman, “ShellBags Explorer & SBECmd” — https://ericzimmerman.github.io/
Harlan Carvey, “Windows Registry Forensics, 2nd Edition” — ShellBags chapter
Joachim Metz, “Windows Shell Items Format Specification” — https://github.com/libyal/libfwsi
SANS Institute, “ShellBags Forensics” — https://www.sans.org/blog/
13Cubed, “Windows ShellBags for DFIR” — https://www.13cubed.com/blog
ForensicArtifacts.com, “ShellBags Artifact Definition” — https://github.com/ForensicArtifacts/artifacts
Vincent Lo, “Advanced ShellBag Forensics” — SANS Reading Room

Mjolnir Security — Digital Forensics & Incident Response

Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in ShellBag analysis, folder navigation reconstruction, and removable media forensics in insider threat and data exfiltration cases.

Digital ForensicsIncident ResponseExpert WitnessArtifact AnalysisInsider ThreatRemovable Media

mjolnirsecurity.com — 24/7: +1 833 403 5875