ShellFolders

Overview

Evidence: ShellFolders Description: Enumerate ShellFolders Category: Registry Platform: Windows Short Name: shelldirs Is Parsed: Yes - Registry data parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows Shell Folders are special directories that have specific purposes in the operating system (e.g., Desktop, Documents, Start Menu, AppData). Windows stores the configured paths for these folders in the registry, and users or applications can customize these locations.

Tracking these paths is important for forensic analysis because evidence artifacts may be in non-default locations if users have redirected their shell folders.

Data Collected

Collection Method

This collector:

• Collects user registry hives (ntuser.dat)

• Searches for shell folder keys:

  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

  • Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

• Enumerates all folder name-path pairs

• Records configured paths for each shell folder

Common shell folders include: Desktop, Personal (Documents), AppData, Start Menu, Favorites, SendTo, Recent, Startup, and many others.

Usage

Shell folder paths are essential for locating user artifacts in correct locations. Investigators use this data to identify custom artifact locations (non-default), track folder redirection policies, locate user data on network shares, find redirected AppData or Desktop locations, and understand user profile configuration.

Known Limitations

• Per-user configuration

• Some paths may use environment variables

• Network paths may not be accessible

• Folder redirection controlled by Group Policy

Notes

Corporate environments often redirect folders like Documents and Desktop to network shares. Shell Folders helps identify these redirections so investigators can locate user data correctly.