Locations starting from Windows 7:

Windows Explorer activity:

File:
<SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat

Registry keys:
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

Desktop and Network locations activity:

File:
<SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat

Registry keys:
HKCU\Software\Microsoft\Windows\Shell\BagMRU
HKCU\Software\Microsoft\Windows\Shell\Bags.

Overview

The Shellbags are Windows Registry keys designed as a user experience enhancing feature to keep track of Windows explorer graphical display settings on a folder-by-folder basis. For instance, a Shellbag entry is used to store the View mode of a folder (details, list, small/medium/large icons) as well as the column displayed (entry names, dates, sizes, etc.) and their order.

Shellbags contain folders and network shares to which a given user has navigated (using the Windows Explorer), but not the content of a directory. Files will thus not be referenced and subdirectories will only be referenced if they were navigated into. An exception is for ZIP files, and other archive formats (such as tar, 7z, tgz, …) in Windows 11 (2023-09 update), that are opened directly as folders through the Windows Explorer. Under such activity, archive files are stored as if they were folders (with their content thus partially referenced depending on the related activity). Shellbags entries are also generated by access to the Control Panel settings, on an interface-by-interface basis. The Shellbags entries related to the Control Panel can notably be useful to detect possible Windows Firewall (Control Panel\All Control Panel Items\Windows Defender Firewall\Customize Settings) or Credential Manager (Control Panel\User Accounts\Credential Manager) operations.

Various kinds of user activity may generate or update Shellbag entries (with different level of data depending on the activity):

  • First access or renaming of folders, removable devices, or network shares through the Windows Explorer systematically generate a Shellbag entry.

  • Graphical opening of compressed archives or ISOs.

  • Access to the Control Panel interface.

  • Modification of the folder view preferences.

  • Etc.

Information of interest

Shellbag entries are stored in registry as a tree-like data structure, with the root target having the topmost BagMRU key. This allows the reconstitution of the browsed directories arborescence. Each sub-target (subdirectory for example) of the parent target is then represented with both:

  • A registry sub-key, named with a numerical value (starting from 0).

  • A registry value (in the parent target’s registry key), named with the same numerical value and associated with binary data that notably contains the target’s name.

Each Shellbag BagMRU registry key also contains:

  • A MRUListEx value, that maintains the entries visited order, i.e. the order in which the sub-targets of a target were accessed (the last sub-target accessed having a MRU position of 0).

    For example, My Computer will be associated with the topmost BagMRU key, C: to BagMRU\0 if it was accessed first (0), C:\Users to BagMRU\0\1 if Users was the second folder accessed under C:\ (1), C:\Users\USERNAME to BagMRU\0\1\0 if USERNAME was the first folder accessed under C:\Users, and so on and so forth. A hierarchical view of the Shellbag entries can thus be established.

  • A NodeSlot value, containing a numerical value that references the item Bags sub-key. Each target is indeed associated with a sub-key under the HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags key. This sub-key, named with a numerical value value corresponding to the NodeSlot of its associated target, contains the Explorer view settings for the target.

As the Shellbags entries are stored in user’s specific registry hives, targets (folders, Control Panel interfaces, etc.) access can be tied to a given user through its Shellbags. Shellbags entries are populated only upon interaction (i.e. are not pre-populated), the mere presence of a Shellbag entry for a target is thus evidence that the user interacted with the given target. Shellbags entries are not automatically deleted upon deletion of the related folders and can thus be a source of historical information.

Each Shellbags entry for a given target yields the following information of forensic interest:

  • The target name and absolute path.

  • The target Modified, Access, and Created (MAC) timestamps (UTC), retrieved from the $MFT at the Shellbag entry creation (and not further updated).

  • Each entry in ShellBags BagMRU maintain a MRUListEx list, which records the order in which the sub-targets of a target were accessed (the last sub-target accessed having a MRU position of 0).

The first and last interacted timestamps can be indirectly deducted for some targets:

  • The First Interacted timestamp can be deduced for some targets thanks to the tree like data structure of ShellBags entry. Indeed, for entries that do not have sub-keys (i.e. directory for which no subdirectory were accessed) the First Interacted timestamp is equal to the key’s LastWriteTime timestamp. This is due to the fact that the key is created when a target is first accessed, and further activity for that target will not update the target BagMRU key’s values or its sub-keys. Indeed activities, such as Explorer display settings modifications, will update the target Bags key only (and not its BagMRU key directly). In such circumstances, the LastWriteTime timestamp reflect the timestamp of the key initial creation.

    When a sub-key is created for the target (i.e. when a subdirectory is accessed for that particular directory), the timestamp becomes unreliable as it reflect the creation of the sub-key.

  • The Last Interacted timestamp can be deducted for the sub-target that was last interacted with. Indeed, as each Shellbag entry corresponds to a registry key, the key’s LastWriteTime timestamp indicates when the Shellbag entry was last updated. As the key is only updated when (a newly interacted with) sub-target is added (both as a sub-key and a numerical value), the LastWriteTime timestamp of a key (with sub-keys) correspond to the timestamp of creation of the last added sub-key. This last added sub-key being known, by its MRU position of 0, the interaction timestamp of the last interacted with child-bag/sub-target can thus be deduced (the parent key LastWriteTime timestamp).

Note however that major updates of the Windows operating system may result in modification of ShellBags entries, resulting in updated last write timestamp.

Tool(s)

ShellBagsExplorer and SBECmd tools (KAPE associated module SBECmd) can be used to parse ShellBags entries.

ShellBagsExplorer displays the ShellBags entries in a graphical user interface that allow browsing of the referenced targets, in a similar manner to Windows Explorer.

# Recursively enumerates the users' registry hives in the specified directory and parses their ShellBags entries.
SBECmd.exe --csv <CSV_DIRECTORY_OUTPUT> -d <C:\Users\<USERNAME> | C:\Users\ | DIRECTORY>

# Parses the ShellBags entries in the live registry.
SBECmd.exe --csv <CSV_DIRECTORY_OUTPUT> -l

References

Tags: windows_registry windows_files_and_folders_access

View on GitHub