ShellBags are records stored in the Windows registry that track every folder a user has opened through Windows Explorer. Windows originally created them for a simple quality-of-life reason: remembering your preferred view settings (icon size, sort order, window position) so each folder looks the way you left it. But because these records persist even after folders are deleted, they’ve become one of the most valuable artifacts in digital forensics.
What ShellBags Actually Store
Every time you open a folder in Windows Explorer, the operating system saves a small bundle of data about that interaction in the registry. This includes the full path to the folder, the timestamps associated with it, and your display preferences like whether you were viewing files as a list, as tiles, or sorted by date. Windows does this per user, so each account on a machine has its own set of ShellBag entries.
The records are split across two types of registry keys. “Bags” keys store the view settings themselves. “BagMRU” keys store the folder paths and hierarchy, essentially a tree of every directory the user navigated into. The BagMRU keys hold the most forensic value because they contain the full folder path and timestamp information for each entry.
Where They Live in the Registry
ShellBag data is stored in two user-specific registry hive files: NTUSER.DAT and USRCLASS.DAT. Both need to be examined to get the complete picture. NTUSER.DAT sits in the user’s profile folder, while USRCLASS.DAT is buried deeper, in the AppData\Local\Microsoft\Windows directory under the same profile.
The specific registry paths are:
- USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
- USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
- NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
- NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
Older versions of Windows (before Windows 7) separated these records into different categories: Shell for network folders, ShellNoRoam for local folders, and StreamMRU for removable devices. Starting with Windows 7, Microsoft consolidated all three into the single Shell subkey and introduced the USRCLASS.DAT hive as a new storage location. Windows 10 and 11 continue to use this same structure, and the registry paths remain consistent.
Why Forensic Investigators Care
The property that makes ShellBags so useful to investigators is persistence. ShellBag entries survive long after the folders they reference are gone. If someone creates a folder, opens it, and then deletes it, the ShellBag record for that folder remains in the registry. This makes ShellBags one of the few artifacts that can answer a deceptively difficult question: what folders has a user interacted with on this system?
That capability matters in several investigative scenarios. If a suspect connected a USB drive containing specific folders, ShellBags can reveal the folder structure of that drive even after it’s been disconnected and wiped. If someone browsed through directories on a network share, those paths get recorded. If files were organized into folders that were later deleted to cover tracks, the folder names and hierarchy still appear in the registry. Investigators can reconstruct a partial map of what a user was looking at and when, even when the underlying data is long gone.
ShellBags also record information about folders on remote systems and removable media, not just the local hard drive. This means a single user’s ShellBag data can reveal interactions with external drives, mapped network shares, and other storage locations the investigator might not have direct access to.
How ShellBag Data Gets Analyzed
Raw ShellBag data in the registry is stored in binary format and isn’t practical to read manually. Forensic analysts use specialized tools to parse the entries into readable folder paths and timestamps. The most widely used is ShellBags Explorer, a free graphical tool created by forensic developer Eric Zimmerman and distributed through SANS. It can read locked registry hive files directly, which is useful when analyzing a live system or a forensic disk image.
The typical workflow involves extracting the NTUSER.DAT and USRCLASS.DAT files from each user profile on the target system, loading them into a parser, and reviewing the resulting folder tree. Analysts look for folder paths that suggest access to sensitive data, connections to external devices, or evidence of folders that were created and later removed. The timestamps embedded in the entries help establish a timeline of activity.
ShellBags and Privacy
For non-forensic users, ShellBags are worth understanding simply because they’re a detailed, persistent log of your folder browsing activity that most people never know exists. Windows provides no built-in interface for viewing or clearing this data. The entries accumulate over time and survive standard file deletion.
You can manually delete ShellBag keys through the Windows Registry Editor by navigating to the Bags and BagMRU folders under the Shell key and removing them. Some users do this to reset broken desktop icon layouts or fix folder view settings that aren’t sticking. After deletion, Windows rebuilds the entries from scratch as you open folders, so your view preferences will temporarily revert to defaults. Third-party privacy tools can also clear ShellBag data as part of broader system cleanup routines.
The tradeoff is straightforward: clearing ShellBags resets all your customized folder views but removes the historical record of which folders you’ve accessed. For most people, the convenience of persistent folder settings outweighs the privacy consideration. But if you’re working with sensitive directory structures on a shared machine, it’s useful to know this record exists.