ShellFolders

Overview

Evidence: ShellFolders Description: Enumerate ShellFolders Category: System Platform: windows Short Name: shelldirs Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows Shell Folders are special directories that have specific purposes in the operating system (e.g., Desktop, Documents, Start Menu, AppData). Windows stores the configured paths for these folders in the registry, and users or applications can customize these locations.

Tracking these paths is important for forensic analysis because evidence artifacts may be in non-default locations if users have redirected their shell folders.

Data Collected

This collector gathers structured data about shellfolders.

ShellFolders Data

Field

Description

Example

Folder

Shell folder name

Personal

Path

Configured folder path

C:\Users\user\Documents

Username

User account name

user

KeyPath

Registry key path

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

LastWriteTime

Registry key last write time

2023-10-15T14:30:00

RegPath

Path to registry hive

Registry/ntuser.dat

Collection Method

This collector:

Collects user registry hives (ntuser.dat)
Searches for shell folder keys:
- Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Enumerates all folder name-path pairs
Records configured paths for each shell folder

Common shell folders include: Desktop, Personal (Documents), AppData, Start Menu, Favorites, SendTo, Recent, Startup, and many others.

Forensic Value

Shell folder paths are essential for locating user artifacts in correct locations. Investigators use this data to identify custom artifact locations (non-default), track folder redirection policies, locate user data on network shares, find redirected AppData or Desktop locations, and understand user profile configuration.

PreviousShellBags NextShim Database

Last updated 3 days ago

Was this helpful?