Back to binalyze.com

ShellBags

Overview

Evidence: ShellBags Description: Enumerate ShellBags Category: Registry Platform: Windows Short Name: sbgs Is Parsed: Yes - Binary shell items parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

ShellBags are Windows Registry artifacts that track folder access and view preferences in Windows Explorer. When a user opens a folder in Explorer, Windows creates a ShellBag entry to remember the folder's view settings (icon size, column sort order, etc.).

ShellBags persist even after folders are deleted, providing evidence of folder access including folders on external drives, network shares, and deleted directories.

Data Collected

Field
Description
Example

Username

User account name

user

DomainName

Domain name

WORKSTATION01

KeyPath

Registry key path

Software\Microsoft\Windows\Shell\BagMRU\0\1

Value

Registry value name

2

Type

Shell item type

49

View

View type

0

CachedFileModified

Cached modification time

2023-10-15T14:30:00

CachedFileAccessed

Cached access time

2023-10-15T15:45:00

CachedFileCreated

Cached creation time

2023-10-01T10:00:00

Path

Full folder path

C:\Users\user\Documents\Project

SlotModifiedTime

Slot modification time

2023-10-15T16:00:00

MFTEntry

MFT entry number

12345

MFTSequence

MFT sequence number

1

FileExists

Whether folder currently exists

TRUE

FileModified

Current modification time

2023-10-15T14:30:00

FileAccessed

Current access time

2023-10-15T15:45:00

FileCreated

Current creation time

2023-10-01T10:00:00

RegPath

Path to source registry hive

Registry/ntuser.dat

Collection Method

This collector:

  • Collects user registry hives (ntuser.dat, UsrClass.dat)

  • Searches for ShellBag registry keys in various locations:

    • Software\Microsoft\Windows\Shell\BagMRU

    • Software\Microsoft\Windows\ShellNoRoam\BagMRU

    • Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

    • Local Settings\Software\Microsoft\Windows\Shell\BagMRU

  • Parses binary shell item data using libfwsi

  • Recursively processes nested ShellBag entries

  • Compares cached timestamps with current file system state

Usage

ShellBags provide evidence of folder access that persists even after deletion. Investigators use this data to prove folder access on external drives, establish user interaction with specific directories, detect access to deleted folders, identify network share usage, track folder access on removable media, reconstruct user navigation patterns, and correlate folder access with other user activity.

Known Limitations

  • Timestamps are cached and may not reflect actual access times

  • Not all folder access creates ShellBag entries

  • Data is per-user, requires all user profiles

  • Some shell item types may not parse correctly

  • Registry hive corruption can prevent parsing

Notes

ShellBags are particularly valuable for proving access to folders on external drives and network shares that are no longer connected. The MFT entry numbers can be correlated with MFT analysis for additional context.

PreviousShadow Copy as CSVNextShellFolders

Last updated

Was this helpful?