Shellbags log every Explorer folder—paths, timestamps, USB structures. Survives delete/format/cleaners. Blue Teamers hunt them via Sysinternals. Red Teams leave them as breadcrumbs. Empower your stack.
Hunt Shellbags in incident response. Baseline normal folder patterns. Alert on suspicious paths.
Understand your forensic footprint. Shellbags reveal lateral movement paths and staging folders.
Simulate attacks, validate detection. Map Shellbag artifacts to MITRE ATT&CK techniques.
If someone had your Shellbags right now, what story would they tell about your last year?
███████╗██╗██╗ ███████╗███╗ ██╗████████╗ ██╔════╝██║██║ ██╔════╝████╗ ██║╚══██╔══╝ ███████╗██║██║ █████╗ ██╔██╗ ██║ ██║ ╚════██║██║██║ ██╔══╝ ██║╚██╗██║ ██║ ███████║██║███████╗███████╗██║ ╚████║ ██║ ╚══════╝╚═╝╚══════╝╚══════╝╚═╝ ╚═══╝ ╚═╝
Your Friendly Neighborhood Snitch
"Delete doesn't mean gone. It means 'ask forensics'."
There's a particular kind of vulnerability in knowing your machine remembers chapters you've already closed in your life. Let me introduce you to a witness that's been embedded in your computer since the first time you powered it on.
This witness doesn't pause. It doesn't request consent. It doesn't distinguish between your tax documents, photos from that trip you'd rather forget, or folders named after people you've outgrown.
Every folder you've ever navigated in Windows Explorer? Logged. Documented. Indexed. Timestamped.
Every USB drive you've connected? Catalogued. Every network share you've touched at work? Recorded.
And here's the part that keeps forensic investigators employed: this witness continues testifying long after you think you've silenced it. Deleted that folder at 2am? The record persists. Formatted the drive? Still there. Unplugged the USB and buried it in a drawer? Your computer memorized every folder that existed on it.
Windows: "We're saving your folder preferences to improve your experience!"
The registry: *quietly compiling a forensic timeline of your entire digital existence since 1995*
This is usually where people start feeling a little exposed—but that's exactly where clarity helps most. I'm not here to make you paranoid. I'm here because you can't protect what you don't understand. Most people navigate their digital lives completely blind. That's not carelessness—it's just that no one ever taught them to see.
If this is the first time you're hearing about any of this, that doesn't make you careless. It makes you normal. You're just earlier to awareness than most.
This article is for the person who wants to actually understand their machine—not just operate it. Whether you're a defender hunting threats across your network, a researcher curious about how systems betray their users, or someone who just realized their computer holds more context about their life than anyone they've ever talked to, you're in the right place. Whatever your threat model—nosy roommate, professional adversary, or a very serious legal context—you deserve to understand the terrain.
This isn't about paranoia. It's about knowing your own machine better than anyone who might ever want to examine it. Not to scare you. Not to shame you. To equip you.
01
What Are Shellbags?
Registry's hidden breadcrumb trail
Microsoft actually had good intentions here. Every time you open a folder in Windows Explorer, your operating system quietly memorizes your preferences—icon size, sort order, window position. The idea was convenience: arrange a folder once, and Windows preserves those choices forever. A small kindness from an operating system trying to reduce friction.
And that "forever" part? That's where convenience quietly transforms into confession.
Windows doesn't just preserve your view preferences. It embeds the complete folder path, timestamps of first and last access, navigation count, and the entire hierarchy of how you arrived there. What began as a UX feature became one of the most powerful forensic artifacts in digital investigations. Shellbags are the stage directions of your digital life—not the content, but how you moved.
These records live in two registry hives that 99% of Windows users have never encountered. The Windows Registry functions as the brain's memory center for your operating system—a massive database storing configuration, preferences, and behavioral history. Buried deep inside, in locations requiring specialized tools to read, are the Shellbag entries. They're stored in binary format, compressed into hex like sediment layers—years of behaviors fossilized into data structures you can't open in Notepad. You need forensic tools to excavate what's inside.
NTUSER.DAT → HKCU\Software\Microsoft\Windows\Shell\BagMRU
The 'Most Recently Used' hierarchy—stores the tree structure of every folder you've navigated through
USRCLASS.DAT → HKCU\Software\Classes\Local Settings\...\Bags
The detailed metadata—timestamps, view settings, window positions, and more
See those highlighted entries above? BagMRU and Bags are your folder rap sheet. Every numbered entry inside those keys represents a folder you've opened at some point in your Windows journey. The binary data inside contains the full path, timestamps, and navigation context. For a forensic investigator with the right tools, this is like finding a detailed diary of everywhere you've been on your computer.
The beauty (or terror, depending on your perspective) of Shellbags is that they're hidden from casual observation. You can't see them in any normal Windows interface. They're buried in binary format within protected registry hives. But tools like RegRipper, ShellBags Explorer, and Autopsy can crack them open and present every folder you've ever accessed in a clean, timestamped report. These are standard tools in any incident response or forensic investigation toolkit.
For those who want to understand exactly how this works at the technical level—here's what forensic tools are actually parsing.
User Registry (Contains Navigation Tree):
NTUSER.DAT
└─ HKCU\Software\Microsoft\Windows\Shell\BagMRU
├─ 0 (root parent)
├─ 1 (first child level)
└─ MRUListEx (order of access)
System Registry (Contains Metadata/Timestamps):
USRCLASS.DAT
└─ HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
├─ 1 (node containing view preferences)
├─ 2 (node for second folder)
└─ MRU (last write time = folder access time)BagMRU stores the folder hierarchy tree—how you navigated from C:\ → Users → You → Documents → Project.Bags stores metadata: timestamps, view settings, window position, access count. Combined, they form a complete reconstruction of your file system journey.
| Data Element | Location | Forensic Value | Example |
|---|---|---|---|
| Folder Path | BagMRU + Bags (reconstructed) | Proves access to specific directory | C:\Users\Admin\AppData\... |
| First Access | Bags → Nodeslot key last write | Proves when folder first opened | 2024-01-15 02:34:17 UTC |
| Last Access | Bags → Same key, subsequent access | Proves recent activity | 2024-01-22 23:58:41 UTC |
| Access Count | Bags → Secondary key | Frequency of interest | 47 accesses to this folder |
| Navigation Hierarchy | BagMRU tree structure | Proves intent (drilling into folders) | User went C:\ → HR → Salary → Jan2024 |
| Deleted Folders | BagMRU entries w/o live folders | Proves folders existed, were deleted | Folder "StageFiles" no longer exists |
| USB/Network Structure | Bags → Device IDs + paths | Proves external device access | E:\Project\Sensitive\ (Removable) |
Source: GIAC Paper "Windows ShellBag Forensics in Depth" + Magnet Forensics research
Microsoft: "It's a user experience feature!"
Forensic Investigators: "It's a confession machine."
Windows: "¿Por qué no los dos?"
02
What They Track
Your digital GPS, exposed
Alright, let's get specific here because "folder history" sounds vague until you actually see what's being recorded. I'm about to show you exactly what a forensic investigator sees when they crack open your Shellbags, and I promise you'll start thinking twice about what you name your folders.
// SHELLBAG FORENSIC FIELDS
| Field | Captures | Risk |
|---|---|---|
| Folder Name | "SecretProject" | HIGH |
| Full Path | C:\Users\You\...\ | HIGH |
| First Opened | 2023-04-15 02:34 UTC | HIGH |
| Last Accessed | 2024-01-22 23:58 UTC | HIGH |
| Access Count | 47 times | MED |
| View Settings | Icons, sort order | LOW |
| Attack Paths | Parent → Child hierarchy | HIGH |
Look at that table. Everything marked HIGH risk is something that can definitively prove what you accessed, when you accessed it, and how you got there. The Blue Team Hunt column shows you exactly how defenders and investigators extract this information. This isn't theoretical—these are the actual techniques used in real incident response and legal investigations.
Now here's where it gets really interesting, and honestly, kind of wild when you think about it:
Let's say you plug in a USB drive, browse through some folders on it, then unplug it and take it home. Maybe you even format the drive later, thinking you're being careful. Here's the thing: the folder structure from that USB drive is now permanently recorded in YOUR computer's registry. The drive is gone. You could throw it in a volcano. Doesn't matter—your computer remembers every folder that was on it. This is how investigators prove that ransomware staging folders existed on removable media, or that someone accessed sensitive files before an incident. The physical evidence might be gone, but the digital ghost remains.
Ever navigate to a shared folder on your company's network? Something like \\FileServer\HR\Confidential\Salary_Data\? That entire path is now in your Shellbags. If you're an investigator trying to prove that someone accessed files they shouldn't have, this is gold. If you're an attacker who just moved laterally across a network, you've left a breadcrumb trail that maps your entire journey. Security teams use this for what's called "attack path reconstruction"—essentially retracing an attacker's steps through the network based on the folder evidence they left behind.
Let me show you what this actually looks like when someone runs a forensic tool against a registry hive:
[PATH] E:\Project_Backup\Client_Files\2024\
[FIRST] 2024-01-15 02:34:17 UTC
[LAST] 2024-01-22 23:58:41 UTC
[COUNT] 47 accesses
[TYPE] Removable Drive (USB)
[NOTE] Drive E: no longer connected to system
See that output? The drive isn't connected anymore, but the investigator reconstructs exactly what folder structure existed on it, when it was first accessed, when it was last touched, and how many times someone navigated into that directory. Now imagine that folder was named something more revealing. Your naming conventions matter more than you thought. Ask me how many regrettable folder names past-me left scattered across old registries.
The report won't roast you. It will quote you—folder names and all. Maybe you named a folder after a person, a project, a secret, or a version of yourself you've outgrown. Shellbags remember all of it. Logs don't care about intent.
Here's how investigators actually extract this data. Three standard tools, three different use cases.
🔍 Tool 1: ShellBags Explorer (GUI)
Eric Zimmerman's visual Shellbag parser. Easiest for learning.
1. Open ShellBags Explorer
2. Drag NTUSER.DAT onto window
3. View reconstructed folder tree (left pane)
4. Click folders to see metadata
5. Export to CSV for timeline analysis⚡ Tool 2: SBECmd (Command Line)
Same parser, scriptable. For batch processing 100+ machines.
SBECmd.exe -d C:\Users\Admin\NTUSER.DAT -o C:\Output\shellbags.csv🔧 Tool 3: RegRipper
Registry hive parser. Extracts multiple artifacts at once.
rip.pl -r NTUSER.DAT -p shellbagsPro tip: Download the full Eric Zimmerman toolkit from ericzimmerman.github.io — it's free and industry-standard.
There's a folder on your machine you haven't opened in months. You know the one. It's still in your Shellbags.
03
Why It Matters
From logs to courtroom
Let's step back from the technical details for a minute and talk about why any of this actually matters in the real world. Because I get it—registry hives and binary data and forensic artifacts can feel abstract until you see how they play out in actual situations.
Shellbags are used in real investigations. Real court cases. Real consequences. They've been the deciding factor in corporate espionage cases, insider threat investigations, divorce proceedings (yes, really), criminal investigations, and employment disputes. When someone says "I never accessed that folder" or "I don't know anything about those files," Shellbags have a way of telling a different story. And unlike human witnesses, Shellbags don't forget, don't get nervous on the stand, and don't change their testimony.
▸ Lateral Movement Proof: Shellbags map the exact path an attacker took through a network
▸ Ransomware Staging: USB folder access proves files were staged before encryption
▸ Insider Threat: Employee accessed confidential folders after submitting resignation
▸ Data Exfiltration: Navigation to cloud sync folders before departure
▸ Intellectual Property: Accessed competitor analysis folders before jumping to rival company
▸ MITRE ATT&CK T1083: File and Directory Discovery maps directly to Shellbag artifacts
Here's a scenario that actually happens more often than you'd think: An employee puts in their two weeks' notice. During that time, they navigate to folders they've never accessed before—HR files, financial records, client lists, proprietary code repositories. They copy what they want, delete the copies from their downloads folder, clear their browser history, and walk out feeling clever. Six months later, they're working for a competitor and suddenly that competitor has suspiciously similar products. The forensic investigation starts, and guess what survives? The Shellbags showing exactly which folders that employee accessed during their final weeks, complete with timestamps and access counts.
"Traces outlive alibis. The truth has a way of surviving, even when you think you've deleted it."
2024-01-15 02:34:17
D:\Photos\2019\Trip\Raw\
The night you couldn't sleep.
Some of your heaviest days are frozen as nothing more than a path and a timestamp.
But here's the thing—and this matters—I'm not telling you this to generate anxiety or to help you become a better criminal (please don't). This isn't about assuming you're doing something wrong. It's about defending your story from being flattened into a single log entry. Your digital footprint is complex, contextual, and human. Forensic artifacts don't capture nuance. They capture data points. Understanding what those data points reveal is the first step to protecting them.
Ice Files Crossover
See Shellbags in Action
In Ice Protocol, Agent 89 uses Shellbag forensics to prove USB access in an air-gapped facility. The folder paths revealed the entire exfiltration route.
Read the Ice Files →Whether you're a security professional hunting threats, a privacy-conscious person who wants to understand what their machine knows, or someone who simply believes in the right to digital self-awareness—you deserve this knowledge. Not to hide. To protect your future self.
The goal isn't to teach you how to hide things. It's to make sure no one can weaponize your own data against you without your informed consent. That's a different conversation entirely.
04
The Uncomfortable Truth
Why your cleanup attempts don't work
Alright, here's where I have to get real with you. Most people—and I mean the vast majority—believe that basic privacy measures will protect them. They think that if they delete a folder, clear their recent files, run CCleaner, or even format a drive, they've covered their tracks. I hate to be the one to break this to you, but those assumptions are almost entirely wrong when it comes to Shellbags.
Let me walk you through why each common "cleanup" method fails:
Deleting a folder does NOT delete the Shellbag entry. When you delete a folder, you're removing the actual files and directory from your file system. But the Shellbag entry that was created when you first opened that folder? It's in your registry, which is a completely separate system. The folder is gone, but the proof that you accessed it—including its full path, name, and timestamps—survives.
Formatting a drive does NOT clear Shellbags. Here's the thing people don't understand: Shellbags aren't stored on the drive you formatted. They're stored in YOUR user profile's registry hives, which live on your main system drive. You could format every external drive you own and the Shellbag records would still be sitting there in your registry, documenting every folder that existed on those drives.
CCleaner, BleachBit, and most "privacy tools" don't touch Shellbags. These tools are great for clearing browser history, temp files, and recent document lists. But Shellbag data is embedded deep within protected registry hives (NTUSER.DAT and USRCLASS.DAT) that standard cleaning utilities simply don't access. The data is stored in binary format within files that are locked by the operating system while you're logged in. Most cleanup tools aren't designed to handle this level of registry manipulation.
Using a VM? Still creates Shellbags on your host if you use shared folders. A lot of security-conscious people use virtual machines thinking they're creating a nice clean separation. And they're mostly right—except when you enable shared folders between your host and guest. Every time you browse to that shared folder from your host machine, you're creating Shellbag entries on your host system that document the folder structure visible through that share.
The information is stored in binary format within protected registry files. It's not sitting in some obvious "History" folder you can just right-click and delete. It's woven into the architecture of how Windows stores user preferences, and it requires specialized forensic tools—or deep registry manipulation—to actually remove.
Here's something that forensic investigators know and most people don't: attempting to wipe Shellbag data is itself suspicious. If a forensic analysis shows that registry entries were manually deleted, or that timestamps don't make sense, or that there are gaps in what should be continuous records, that's a massive red flag. In legal contexts, it's sometimes called "evidence of consciousness of guilt"—the act of trying to destroy evidence suggests you knew that evidence was incriminating. So ironically, a clumsy attempt to clean your Shellbags might make you look worse than just leaving them alone.
Defaults vs. Reality
DEFAULT: Deleting a folder erases the evidence.
REALITY: The Shellbag entry survives in a completely separate system.
→ Treat deletion as hiding from yourself, not from forensics.
DEFAULT: Formatting is a reset.
REALITY: Registry hives persist through drive wipes.
→ Manage OS artifacts as the thing you protect, not forget.
DEFAULT: Privacy tools handle this.
REALITY: Most cleaners can't access locked, binary registry hives.
→ Know the difference between 'cleaned' and 'forensically clean.'
I'm not saying this to make you feel trapped. The solution to Shellbags isn't frantic post-hoc deletion—it's understanding they exist before you make decisions about what you access and how you organize your digital life. Prevention through awareness beats attempted cleanup every time.
Mental Model Shift
Delete means gone.
Delete means hidden from you, not from forensics.
"Ghosts don't format away. You can't outrun something you don't know is following you."
For blue teamers and SOC analysts: how to detect suspicious Shellbag activity before a breach, not after.
Sysmon Registry Events
When a Shellbag entry is created (user opens folder in Explorer), it triggers a registry modification event.
title: Suspicious Shellbag Access (Possible Staging)
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13 # Registry modification
TargetObject|contains:
- 'BagMRU'
- 'Bags'
Details|contains:
- 'E:\'
- 'USB'
- 'Removable'
timeframe: 5m
condition: selection | count > 10
action: alert
severity: mediumMITRE ATT&CK Mapping
| Finding | MITRE Technique | Indicator |
|---|---|---|
| Network share access in Shellbags | T1083 - File and Directory Discovery | Attacker exploring shares |
| USB + Network share correlation | T1537 - Transfer Data to Cloud | Pre-exfiltration staging |
| System folder access (C:\Windows) | T1548 - Abuse Elevation Control | Privilege escalation |
| Rapid sequential folder access | T1087 - Account Discovery | Automated reconnaissance |
| Deleted folders with recent timestamps | T1070 - Indicator Removal | Evidence tampering |
Lab Task: Build 2 detection rules: (1) "USB Access with Network Share Access" and (2) "Rapid Shellbag Modification"
05
Blue Team Your Life
Practical steps for the digitally self-aware
Alright, you've learned what Shellbags are, what they track, why they matter, and why your usual cleanup methods don't work. The natural question is: "Okay, so what do I actually DO about this?"
Here's my philosophy, and it's the same one I apply to basically everything in security and life: you don't need perfection—you need awareness and reasonable precautions appropriate to your actual situation. The goal isn't to become some paranoid ghost who never leaves a trace (that's exhausting and mostly impossible anyway). The goal is to understand your footprint well enough to make informed decisions about what you're comfortable with.
With that mindset, here are five practical approaches that actually make a difference:
Audit Your Own Machine First
Before you worry about hypothetical attackers or investigators, take a look at what's actually in your own Shellbags right now. Download ShellBags Explorer or run RegRipper against your own NTUSER.DAT hive. You might be surprised what's in there—folders from USB drives you forgot about, network shares you accessed years ago, directories that no longer exist. This isn't about paranoia; it's about self-awareness. Know your own baseline.
Practice in Lab →Understand Your Actual Threat Model
This is crucial and most people skip it. Are you worried about a nosy family member or roommate poking through your stuff? That's very different from defending against a professional forensic investigation. The appropriate measures differ dramatically. For casual privacy, basic operational awareness is enough. For sensitive work, you might need live boot environments like Tails, dedicated hardware, or properly configured VMs. Match your precautions to your actual risk.
Separate Your Digital Lives
This is honestly the most practical advice I can give: compartmentalize. Work computer for work stuff. Personal computer for personal stuff. If you have activities that require extra privacy—whether that's security research, journalism, activism, or just stuff you don't want mixed with your professional life—consider dedicated hardware or properly isolated environments. When everything lives on one machine, everything gets mixed into one forensic profile.
Hunt Proactively (For Defenders)
If you're on a security team, don't wait for an incident to start caring about Shellbags. Build them into your baseline. Use Sysmon to log registry events. Create detection rules for anomalous folder access patterns. When an incident does happen, you'll already know what normal looks like, which makes spotting the abnormal much easier. Shellbag forensics should be a standard part of your incident response playbook.
Practice in Lab →Practice on Yourself (Purple Team)
Want to really understand how this works? Set up a test environment, simulate the kind of activity you're worried about, then analyze it with forensic tools. See what traces you leave. Try to clean them up. See what survives. This kind of purple team exercise—attacking yourself and then defending against yourself—builds intuition that no amount of reading can replace. You learn by doing.
Practice in Lab →Look, I'm not going to pretend there's some magic solution that makes Shellbags disappear while letting you use Windows normally. There isn't. But there's a huge difference between stumbling through your digital life completely unaware of the traces you're leaving, versus moving through it with clear eyes and intentional choices. The person who understands their footprint can make informed decisions about risk. The person who doesn't is just hoping for the best.
Three folders you'd show on a projector. In court. With your name attached.
One you wouldn't.
What you'll do about it.
If you're Blue Team
Focus on baselining, logging, detection rules. Build Shellbags into your IR playbook before you need them.
If you're Red Team
Focus on footprint modeling. Know what artifacts your operations generate—and what survives.
If you're a civilian
Focus on naming conventions, compartmentalization, and awareness. You don't need to be paranoid—just informed.
An informed user with reasonable precautions beats a paranoid user with no understanding every single time.
Someone you respect is reading a report of your last 12 months. Not the version you'd tell them. The version the machine would.
Digital self-awareness: it's like situational awareness, but for your hard drive. Same concept as not walking through sketchy areas at 3am without paying attention—except the sketchy area is your own registry, and the threats are forensic tools.
╭─────────────────────╮ │ (˶ᵔ ᵕ ᵔ˶) │ │ Hunt. Harden. │ │ Stay sharp. │ ╰─────────────────────╯
Digital Self-Awareness Series
Digital Self-Awareness Part 1 complete. Next: Prefetch files, LNK artifacts, and the invisible infrastructure of your digital life.
Control your trace. Or someone else will read it.
One sentence. Your digital life. What would it say?
I don't control every trace—but I choose not to be a stranger to my own.
About the Author
JMFG
Systems thinker who builds cybersecurity labs and writes about the intersection of psychology, technology, and human behavior. 80+ interactive defense exercises at jmfg.ca. My philosophy is empowerment through understanding—not fear through FUD.
When I'm not reverse-engineering Windows artifacts or building detection rules, you'll find me appreciating good design, high fashion, and the kind of intentional living that makes both digital and physical life cleaner.