How to remove old Shellbag entries in Windows for privacy

The Microsoft Windows operating system records information about window viewing preferences -- known as ShellBag information -- in the Windows Registry.

It keeps track of several information such as the size, view mode, icon, access time and date, and position of a folder when a user uses Windows Explorer.

What makes Shellbag information interesting is the fact that Windows does not delete them when the folder gets deleted which means that the information can be used to prove the existence of folders on the system.

Forensics use the information for instance to keep track of which folders a user has accessed. It can be used to look up when a folder was last visited, modified or created on a system.

The information can also be used to display contents of removable storage devices that were connected to the computer in the past, and also information of encrypted volumes that were mounted on the system before.

Overview

shellbags

Shellbags are created when a user visits a folder on the operating system at least once. This means that they can be used to prove that a user has accessed a particular folder at least once before.

Windows saves the information to the following Registry keys:

  • HKEY_USERS\ID\Software\Microsoft\Windows\Shell\Bags
  • HKEY_USERS\ID\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_USERS\ID\Software\Microsoft\Windows\ShellNoRoam

If you analyze the BagMRU structure you will notice many integers stored under the main key. Windows stores information about the recently opened folders here. Each item is related to a sub-folder on the system which is identified by binary date stored in those sub-folders.

The Bags key on the other hand stores information about each folder including its display settings.

Additional information about the structure are provided by a paper called "Using Shellbag information to reconstruct user activities" which you can download with a click on the following link: p69-zhu.pdf (734 downloads)

You can delete the Registry keys according to Microsoft to reset the settings for all folders:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU
  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

On 64-bit systems additionally:

  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\Bags
  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

Afterwards, re-create the following keys:

  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

On 64-bit systems additionally:

  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\Bags
  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

Software parsers

Software has been created to parse the information and display it in an easy to analyze way. There are quite a few programs available for that purpose. Some have been created to retrieve forensic evidence while others to clean the data for privacy.

Shellbag Analyzer & Cleaner is a free program by the makers of PrivaZer that can display and remove Shellbag related information.

shellbag analyzer

You need to click on the analyze button to scan the system for Shellbag related information. The application displays all entries, existing ones and for folders that have been deleted, by default.

You can use the menu at the top to only display deleted folders, network folders, search results, existing folders or control panel and system folders.

Each entry is displayed with its name and path, the last time it was visited, its type, slot key in the Registry, creation, modification and access time and date, as well as windows position and size.

A click on clean displays options to remove specific types of information, but not individual entries, from the system. If you click on advanced options, you get additional features such as an option to overwrite the information, backup, or scramble the dates.

clean shellbags

A success message is displayed in the end that informs you about the status of the operation.

Here are some alternatives that you can use instead:

Summary
Article Name
How to remove old Shellbag entries in Windows
Author
Description
How to remove Shellbag information from Windows to improve your privacy.
Please share this article

facebooktwittergoogle_plusredditlinkedinmail


Responses to How to remove old Shellbag entries in Windows for privacy

  1. hessam June 9, 2014 at 4:08 pm #

    if you want dont store anything rightclick on registry key and select permissions
    add "everyone " and give it deny if any other user have give them deny.
    so nothing saved.
    also i use this method for Notification Area Icons cache
    HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify

    and MuiCache
    HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

    • Ed August 5, 2014 at 3:20 am #

      Be cautious in using this tool. It crashed my Windows 7 64-bit system, because of the Registry changes it made.

      Make sure you have a RELIABLE registry backup. I recommend the registry autobackup utility ERUNT - The Emergency Recovery Utility NT - freeware by Lars Hederer from:

      http://www.larshederer.homepage.t-online.de/erunt

  2. Pants June 9, 2014 at 4:27 pm #

    - You can see folders viewed in Explorer using Nirsoft's LastActivityView ( http://www.nirsoft.net/utils/computer_activity_view.html ).
    - CCleaner ( with winapp2.ini ) listed under Cleaner>Applications>Windows>Windows 7/8 Shellbags* can clean shellbags
    - PrivaZer's Shellbag Analyzer & Cleaner is portable ( as is their main cleaner PrivaZer, which also includes shellbag cleaning ).

  3. ilev June 9, 2014 at 4:28 pm #

    It is time for Microsoft to get rid of the registry.

    • Swapnil June 11, 2014 at 1:00 pm #

      Microsoft can't remove the registry because it's in Windows Phone and Windows RT also, along with the full Windows 8. It has an important purpose. What Microsoft should do is disable apps' access to registry - something it already does for WinRT apps. Yes, Windows Phone has a registry (not accessible by any means, used only by the OS, apps can't access it), and I am sure it also has a lot of other things like the Windows servicing stack for update deployment - all these things hidden and restricted from the user and the apps. This is what should be done.
      The next major version of Windows (Windows 9?) will bring windowed Modern/WinRT apps, thus solving all the productivity issues (like not being able to multi-task) which should encourage app developers to port their Win32 apps to WinRT, which should mostly solve the Registry issues over the coming years.

  4. Dwight Stegall June 9, 2014 at 6:38 pm #

    I don't understand who I would be hiding this information from? I'm the only user of this computer and no one else lives here.

    • AlS June 9, 2014 at 7:05 pm #

      FYI - deleting the current entries still doesn't erase ALL your history. As the Zhu paper cited points out:
      "The ShellBag information analysis method is extended from
      the Registry snapshots comparison method described in Zhu
      et al. (2009b). The Registry snapshots are, by default, created
      within System Restore Points to back up the Windows Registry
      every 24 calendar hours and possibly more frequently when
      certain events occur such as the installation of new software
      (Harder, 2001). So if the current Windows Registry can be
      considered as the most recent snapshot of itself with all the
      Windows Restore Points containing earlier snapshots."

    • Pants June 10, 2014 at 6:38 am #

      ^^^ I kind of agree with Dwight here. Those who really need to be covert should probably be using something like TAILs, or a Linux distro, and other system-wide methods of protection in the first place (encryption).

      However, "D:\Porn\Midget Cosplay\" might be something the average husband wants to keep from his uber-tech-savy wife :) Also, simply following good cleaning practices against computer forensics is never a bad idea.

  5. Dexter June 9, 2014 at 8:24 pm #

    Here's my PowerShell script that I use after installing Windows, it disables saving ShellBag and few other things by setting ACL to deny write for Everyone http://pastebin.com/Suq9iPYX
    Save it with ps1 extension and run with admin privilages
    PowerShell -ExecutionPolicy Bypass -Command "& 'PATH_TO_SCRIPT'"
    If you have any other keys that can be disabled this way please post it here

    • r2 June 20, 2014 at 2:06 am #

      Dexter, that's brilliant! Thank you for sharing the script.
      I have added the script call to my batch file that I use after installing windows.

  6. Bob June 9, 2014 at 10:12 pm #

    I wonder if System Ninja or UnCleaner will add this Shellbag cleaning functionality sometime in the future?
    I really like those softwares.

Leave a Reply