Shellbags

ShellBags contain information about folders and network shares - but not files or sub directories access. This excludes ZIP folders that are opened directly through Windows Explorer as they are stored as folders (including their recursive files).

Entries are also generated by accessing Control Panel. Good to detect possible Windows Firewall (Control Panel\All Control Panel Items\Windows Defender Firewall\Customize Settings) or Credential Manager (Control Panel\User Accounts\Credential Manager) operations.

Shellbags can be used for confirming access to tied to a specific user. Shellbag entries also keep deleted files so can be used for historical information also. The following forensic interests can be found:

  • Target name and Absolute path

  • the Target Modified, Access and Created (MAC) timestamps (UTC).

  • each entry in ShellBags BagMRU maintain a MRUListEx list, which records the order in which the sub targets of a target were accessed (the last sub target accessed having a MRU position of 0).

Files: 

%SystemDrive%:\Users\<USERNAME>\NTUSER.dat
%SystemDrive%:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat

Registry keys:

# NTUSER.DAT
HKCU\Software\Microsoft\Windows\Shell
HKCU\Software\Microsoft\Windows\ShellNoRoam

# USRCLASS.DAT
HKCU\Software\Classes\Local\Settings\Software\Microsoft\Windows\Shell

Each Shellbag BagMRU registry key also contains a MRUListEx value, that maintains the entries visited order, i.e the order in which the sub targets of a target were accessed (the last sub target accessed having a MRU position of 0).

For example, My Computer will be associated with the topmost BagMRU key, C: to BagMRU\0 if it was access first, C:\Users to BagMRU\0\2 if it was accessed third, and so on and so forth. A hierarchical view of the Shellbag entries can thus be established.

Parse:

Eric Zimmerman's ShellBagsExplorer.exe and SBECmd.exe tools can be used to parse ShellBags entries.

# Recursively enumerates the users' registry hives in the specified directory and parses their ShellBags entries.
SBECmd.exe --csv <CSV_DIRECTORY_OUTPUT> -d <C:\Users\<USERNAME> | C:\Users\ | DIRECTORY>

# Parses the ShellBags entries in the live registry.
SBECmd.exe --csv <CSV_DIRECTORY_OUTPUT> -l
PreviousJumplist / RecentFilesNextBAM/ DAM

Last updated