The Microsoft Windows operating system records information about window viewing preferences -- known as ShellBag information -- in the Windows Registry.
It keeps track of several information such as the size, view mode, icon, access time and date, and position of a folder when a user uses Windows Explorer.
What makes Shellbag information interesting is the fact that Windows does not delete them when the folder gets deleted which means that the information can be used to prove the existence of folders on the system.
Forensics use the information for instance to keep track of which folders a user has accessed. It can be used to look up when a folder was last visited, modified or created on a system.
The information can also be used to display contents of removable storage devices that were connected to the computer in the past, and also information of encrypted volumes that were mounted on the system before.
Shellbags are created when a user visits a folder on the operating system at least once. This means that they can be used to prove that a user has accessed a particular folder at least once before.
Windows saves the information to the following Registry keys:
If you analyze the BagMRU structure you will notice many integers stored under the main key. Windows stores information about the recently opened folders here. Each item is related to a sub-folder on the system which is identified by binary date stored in those sub-folders.
The Bags key on the other hand stores information about each folder including its display settings.
Additional information about the structure are provided by a paper called "Using Shellbag information to reconstruct user activities" which you can download with a click on the following link: p69-zhu.pdf
You can delete the Registry keys according to Microsoft to reset the settings for all folders:
On 64-bit systems additionally:
Afterwards, re-create the following keys:
On 64-bit systems additionally:
Software has been created to parse the information and display it in an easy to analyze way. There are quite a few programs available for that purpose. Some have been created to retrieve forensic evidence while others to clean the data for privacy.
Shellbag Analyzer & Cleaner is a free program by the makers of PrivaZer that can display and remove Shellbag related information.
You need to click on the analyze button to scan the system for Shellbag related information. The application displays all entries, existing ones and for folders that have been deleted, by default.
You can use the menu at the top to only display deleted folders, network folders, search results, existing folders or control panel and system folders.
Each entry is displayed with its name and path, the last time it was visited, its type, slot key in the Registry, creation, modification and access time and date, as well as windows position and size.
A click on clean displays options to remove specific types of information, but not individual entries, from the system. If you click on advanced options, you get additional features such as an option to overwrite the information, backup, or scramble the dates.
A success message is displayed in the end that informs you about the status of the operation.
Here are some alternatives that you can use instead:
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.