Skip to content
WindowsRegistryHigh

Shell Bags

Windows Explorer view preferences recorded per-folder in UsrClass.dat. Shell Bags prove a user navigated to a folder, even after the folder or attached volume is long gone.

artifact_type: shellbags

Where to find it

Default filesystem paths and registry locations. Collect these with your preferred live-response or disk-image tooling.

  • $%USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat
  • $HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
  • $HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

Forensic significance

Common scenarios in which this artifact becomes decisive evidence.

  • Proving user knowledge of deleted folders
  • Tracking USB drive contents after the drive is disconnected
  • Reconstructing user folder browsing history without browser logs
  • Insider threat — showing access to sensitive file shares

MITRE ATT&CK mapping

Techniques this artifact can help detect or substantiate. Click a technique to view the official MITRE entry.

T1083

Tools that parse it

unJaena AI and other DFIR tools commonly used to extract evidence from this artifact.

unJaena AI
ShellBagsExplorer (Eric Zimmerman)
RegRipper
Autopsy

Related artifacts

Windows

USB Device Connection History

Windows records every USB mass-storage device plugged in, keyed by vendor/product ID and serial number, with first- and last-connection timestamps.

Windows

RecentDocs

Explorer tracks recently opened files per extension in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs, including files on removed storage.

Windows

Amcache.hve

Compatibility database introduced in Windows 8 that records every PE file executed on the system, including SHA-1 hash, full path, publisher, and first-seen timestamp.

Windows

UserAssist

Per-user registry key recording GUI-launched programs with ROT13-obfuscated paths, focus count, and last execution time — proving interactive user execution of a binary.

References & further reading

Stop parsing artifacts by hand

unJaena AI ingests disk images, live-response output, and mobile backups, then automatically correlates every artifact on this page — and 200+ more — into an investigator-ready timeline.

Try unJaena AI