When a user browses to a folder in Windows Explorer, the operating system records the folder path, window position, view settings, and sort order in a registry structure called ShellBags. These records persist in UsrClass.dat even after the folder is deleted, the drive is disconnected, or the network share is taken offline. For investigators, ShellBags are a permanent record of every directory a user ever navigated to — a browsing history for the filesystem itself.
What Is UsrClass.dat?
UsrClass.dat is a per-user registry hive file that stores two categories of data: COM class registrations (per-user CLSID mappings for COM objects, shell extensions, and file type associations) and ShellBags (Explorer folder view state data). The hive is mapped to HKEY_CURRENT_USER\Software\Classes in the live registry. While the COM class data has limited forensic value, the ShellBags data is one of the most important artifacts for proving user interaction with specific directories.
ShellBags are stored in two key hierarchies within UsrClass.dat: Local Settings\Software\Microsoft\Windows\Shell\BagMRU (the folder tree structure, stored as a binary shellitem hierarchy) and Local Settings\Software\Microsoft\Windows\Shell\Bags (the view settings for each folder, including column widths, sort order, and view mode). The BagMRU tree mirrors the folder navigation hierarchy — each subkey represents a folder, and its value data contains a binary shell item that encodes the folder path, name, and timestamps.
ShellBags are updated when a user interacts with a folder through Windows Explorer (including Open/Save dialogs in applications). They are not created by command-line navigation (cd in cmd.exe or PowerShell), programmatic file access, or automated scripts. This specificity is both a strength and a limitation: ShellBags prove user-driven folder browsing, not programmatic access.
ShellBags record folder access even for folders that no longer exist. If a user browses to E:\Confidential\Q4 Financials\ on a USB drive, then disconnects the drive and deletes the folder, the ShellBag entry persists in UsrClass.dat indefinitely. This makes ShellBags invaluable for proving a user accessed specific directories on removable media — even when the media is no longer available.
Location & Format
| File | Path | Notes |
|---|---|---|
| UsrClass.dat | C:\Users\{user}\AppData\Local\Microsoft\Windows\UsrClass.dat | Per-user hive; one per user profile |
| Transaction logs | UsrClass.dat.LOG1, UsrClass.dat.LOG2 | Write-ahead logs for dirty hive recovery |
| ShellBags in NTUSER.DAT | NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU | Desktop and Control Panel ShellBags (separate from Explorer browsing) |
ShellBag Registry Structure
; UsrClass.dat ShellBag hierarchy Local Settings\Software\Microsoft\Windows\Shell\ BagMRU\ ; Root of the folder tree 0\ ; Desktop 0\ ; My Computer 0\ ; C:\ drive 0\ ; C:\Users 0\ ; C:\Users\jdoe 0\ ; C:\Users\jdoe\Documents 1\ ; E:\ drive (USB) 0\ ; E:\Confidential 1\ ; Network 0\ ; \\fileserver 0\ ; \\fileserver\share Bags\ ; View settings per folder 1\Shell\ ; View mode, sort, columns for BagMRU entry 1 2\Shell\ ...
What ShellBags Reveal
- Which folders did the user browse? — Every folder visited through Explorer (including File Open/Save dialogs) generates a ShellBag entry with the full path.
- Did the user browse removable media? — USB drive, SD card, and external HDD paths are recorded with drive letters. Even after the device is removed, the ShellBag persists.
- Did the user access network shares? — UNC paths (
\\server\share\subfolder) are recorded in ShellBags, proving network resource access. - When was the folder first and last accessed? — ShellBag entries contain embedded timestamps: the registry key last-write time indicates the last time the folder was browsed, and the shell item binary data contains creation and modification timestamps from the folder’s original directory entry.
- Did the user browse inside ZIP archives? — Windows Explorer treats ZIP files as browsable folders. ShellBags record navigation into ZIP archives, proving the user viewed their contents.
- What was the folder structure of deleted directories? — Since ShellBags persist after folder deletion, they reconstruct the directory hierarchy of folders that no longer exist on disk.
Forensic Use Cases
1. USB Data Theft Evidence
An employee is suspected of copying confidential files to a USB drive before resignation. The USB drive has been wiped. ShellBags in UsrClass.dat show the user browsed E:\Client_Data\2026_Q1\, E:\Client_Data\Contracts\, and E:\Client_Data\Financial_Models\. The folder names themselves reveal the type of data accessed. Combined with USBSTOR entries from the SYSTEM hive (proving the device was connected) and SRUM network data (showing transfer volumes), the ShellBags provide the directory-level browsing evidence.
2. Network Share Reconnaissance
During a post-breach investigation, ShellBags reveal the attacker (using the compromised user account) browsed \\DC01\SYSVOL\, \\FileServer\HR\, \\FileServer\Finance\Payroll\, and \\BackupServer\Backups\SQL\. This navigation pattern — domain controller shares, HR data, financial data, backup server — is consistent with reconnaissance and data staging. The ShellBag timestamps provide the exact timeline of network share browsing.
3. Deleted Folder Reconstruction
A user created a folder hierarchy (C:\Users\jdoe\Desktop\Project_Exodus\Phase1\, Phase2\, Phase3\) to stage documents, then deleted the entire folder tree. ShellBags preserve the complete hierarchy, proving the folders existed and the user browsed them. The registry key last-write timestamps show when each folder was last accessed.
4. Cloud Storage Folder Access
ShellBags record browsing of cloud sync folders (OneDrive, Dropbox, Google Drive) with their local paths. Entries for C:\Users\jdoe\Dropbox\Personal\ prove the user had a personal Dropbox folder on a corporate machine and actively browsed it. Combined with SRUM network data for the Dropbox sync process, this establishes both the existence and active use of unauthorized cloud storage.
5. Control Panel and System Settings Access
ShellBags in NTUSER.DAT (not UsrClass.dat) record access to Control Panel items and system settings. Entries showing navigation to Control Panel\Administrative Tools\Event Viewer or Control Panel\User Accounts may indicate a user was attempting system administration tasks outside their normal role, or an attacker was exploring the compromised system.
Acquisition Methods
UsrClass.dat is locked by the OS while the owning user is logged in. Use Volume Shadow Copy, KAPE, or forensic imaging. Always collect the transaction logs (.LOG1, .LOG2) alongside the hive for dirty-shutdown recovery. Collect UsrClass.dat for every user profile on the system, not just the suspect account.
:: Copy via reg save (only works for current user's hive) reg save HKU\S-1-5-21-...-1001_Classes C:\Evidence\UsrClass.dat /y :: Using KAPE (collects all user profiles) kape.exe --tsource C: --tdest C:\Evidence --target RegistryHives :: Using VSS for locked hive vssadmin create shadow /for=C: copy "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Users\jdoe\AppData\Local\Microsoft\Windows\UsrClass.dat" C:\Evidence\
Parsing Tools & Analysis
| Tool | Author | License | Output | Notes |
|---|---|---|---|---|
| ShellBags Explorer | Eric Zimmerman | Free | GUI + CSV | Gold standard; visual tree view of all ShellBag entries with timestamps and paths |
| SBECmd | Eric Zimmerman | Free | CSV | Command-line version of ShellBags Explorer; batch processing for multiple hives |
| Registry Explorer | Eric Zimmerman | Free | GUI | Generic registry viewer; can browse BagMRU/Bags keys directly |
| RegRipper | Harlan Carvey | Open source | Text | shellbags plugin extracts basic ShellBag data; less detailed than SBECmd |
:: Parse ShellBags with SBECmd SBECmd.exe -d C:\Evidence\RegistryHives --csv C:\Analysis\ShellBags :: Parse a single UsrClass.dat SBECmd.exe --hive C:\Evidence\UsrClass.dat --csv C:\Analysis\ShellBags :: Output: SBECmd_Output.csv with columns: :: AbsolutePath, ShellType, Value, LastWriteTime, CreatedOn, AccessedOn, ModifiedOn
Retention & Persistence
| Property | Behavior | Notes |
|---|---|---|
| Retention period | Permanent (lifetime of user profile) | ShellBag entries are never automatically purged; they accumulate over the life of the profile |
| Survives folder deletion | Yes | Entries persist after the browsed folder is deleted from disk |
| Survives drive disconnection | Yes | USB drive, network share, and mapped drive entries persist after disconnection |
| Survives OS upgrade | Yes (in-place upgrade) | User profile migration preserves UsrClass.dat and all ShellBag entries |
| Entry count | Hundreds to thousands | Long-used profiles may have thousands of ShellBag entries spanning years of folder browsing |
Anti-Forensics Resilience
| Tool / Technique | Clears ShellBags? | Details |
|---|---|---|
| CCleaner | Partial | Recent versions include a “Windows Explorer ShellBags” option, but many users do not enable it |
| BleachBit | Partial | May clear some Explorer data but does not reliably delete all BagMRU entries |
| Manual registry deletion | Yes (if targeted) | Deleting BagMRU/Bags keys requires knowledge of UsrClass.dat; very rare in practice |
| Profile deletion | Yes | Deleting the entire user profile removes UsrClass.dat; but profile deletion is itself suspicious |
| Shellbag cleaner tools | Yes | Specialized tools exist (e.g., “Shellbag Analyzer & Cleaner”) but are rarely used by adversaries |
Even when ShellBag keys are deleted, the deleted key space in UsrClass.dat may contain recoverable data. Registry Explorer can recover deleted keys from unallocated hive space. Additionally, Volume Shadow Copies may contain previous versions of UsrClass.dat with intact ShellBag entries from before the cleanup. Always check VSS snapshots for historical ShellBag data.
MITRE ATT&CK Detection Mapping
| Technique | Name | ShellBag Evidence |
|---|---|---|
T1083 T1083 | File and Directory Discovery | ShellBag entries for sensitive directories (HR, Finance, IT, Backup) indicate reconnaissance browsing |
T1005 T1005 | Data from Local System | Browsing of data directories prior to exfiltration; folder names reveal targeted data types |
T1039 T1039 | Data from Network Shared Drive | UNC path ShellBag entries prove network share browsing and data access |
T1025 T1025 | Data from Removable Media | Drive letter entries for USB devices prove browsing of removable media contents |
T1070.004 T1070.004 | Indicator Removal: File Deletion | ShellBag entries for deleted folders prove the folders existed and were browsed before deletion |
Related Artifacts & Cross-References
| Artifact | Relationship | Cross-Correlation Value |
|---|---|---|
| NTUSER.DAT ShellBags | Contains Desktop and Control Panel ShellBags (separate from UsrClass.dat) | Combine both sources for complete folder browsing history |
| SYSTEM Hive (USBSTOR) | Documents USB device connections at the system level | USBSTOR proves the device was connected; ShellBags prove the user browsed its contents |
| LNK Files | Shortcut files created when files are opened | LNK files prove file access; ShellBags prove folder browsing |
| Jump Lists | Recent file access per application | Jump Lists show which files were opened; ShellBags show which folders were browsed |
| $MFT / $UsnJrnl | File system metadata and change journal | $MFT confirms folder existence; $UsnJrnl shows folder creation/deletion timing |
References
- Eric Zimmerman, “ShellBags Explorer / SBECmd” — https://ericzimmerman.github.io/
- SANS Institute, “Windows ShellBag Forensics” — https://www.sans.org/blog/
- Joachim Metz, “Windows Shell Item Format Specification” — https://github.com/libyal/libfwsi
- 13Cubed, “ShellBags for DFIR” — https://www.13cubed.com
- Harlan Carvey, “RegRipper” — https://github.com/keydet89/RegRipper3.0
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in ShellBag analysis, insider threat investigations, and proving data access patterns through registry forensics.
mjolnirsecurity.com — 24/7: +1 833 403 5875