top of page

Forensic Investigation: Shellbags

Windows Shell Bags were introduced in Microsoft's Windows 7 operating system and are still present on all subsequent Windows platforms. Shellbags are registry keys used to improve user experience and retrieve user preferences whenever needed. The creation of shellbags depends on the exercises performed by the user.

Using shellbags you can prove whether a specific folder has been accessed by a given user or not. You can even check if the specific folder was created or if it was available or not. You can also find out whether external directories have been accessed on external devices or not.

Most of the time, Shell Bags are intended to store data about user activities while exploring Windows. This implies that if the user changes the sizes of the large icons for the grid, the settings will be updated in the Shell Bag instantly. The moment you open, close or change the review option of any folder on your system, whether in Windows Explorer or the desktop, even right-clicking or renaming the organizer, a Shellbag record is created or updated.

Shellbags are a set of subkeys in the UsrClass.dat registry hive of Windows 10 systems. The shell bags are stored in both NTUSER.DAT and USRCLASS.DAT.

  • NTUSER.DAT: HKCU\Software\Microsoft\Windows\Shell

  • USRCLASS.DAT: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell

The Shellbag data contains two main registry keys, BagMRU and Bags

  • BagMRU: This stores folder names and folder paths similar to the tree structure. The root directory is represented by the first bagMRU key i.e. 0. BagMRU contains numbered values that compare to say sub key’s nested subkeys. All of these subkeys contain numbered values aside from the last child in each branch.

  • Bag: These stores view preferences such as the size of the window, location, and view mode.

To get a clear idea about how shell bags work and store data and how you can analyze it I have created a new folder named “DRM

C:\Users\diniz> mkdir DRM

Analysis using SBECmd.exe:

Run the executable file and browse to the directory where the executable is present. To extract the shellbags data into a .csv file using the following command:

C:\>SBECmd.exe -l --csv ./

As a result of the above command, a .csv file will be created in the directory (C:\)

Regedit path: BagMRU\1\6\0\0:

And yes, the shellbags store the entry even though the folder was deleted later!

187 views0 comments

Recent Posts

See All

Cyrillic Alphabet

Exploring the Cyrillic Alphabet: A Beginner's Guide Have you ever come across the Cyrillic alphabet and wondered what it's all about? Maybe you've seen it on Russian websites, or perhaps you've notice

MacOS | Recording a Packet Trace

A packet trace is a record of traffic traveling across the network. It’s useful for investigating complex network problems related to both correctness and performance. Once you start a packet trace on

DNS Guard

Absolutely everything is connected to the internet these days, from TV to smart light bulbs, from mobile devices to smart cars. Given those ads and ad trackers are everywhere on the Internet, a browse


bottom of page