How to remove old Shellbag entries in Windows for privacy

Martin Brinkmann
Jun 9, 2014
Updated • Apr 28, 2021
Security
|
16

The Microsoft Windows operating system records information about window viewing preferences -- known as ShellBag information -- in the Windows Registry.

It keeps track of several information such as the size, view mode, icon, access time and date, and position of a folder when a user uses Windows Explorer.

What makes Shellbag information interesting is the fact that Windows does not delete them when the folder gets deleted which means that the information can be used to prove the existence of folders on the system.

Forensics use the information for instance to keep track of which folders a user has accessed. It can be used to look up when a folder was last visited, modified or created on a system.

The information can also be used to display contents of removable storage devices that were connected to the computer in the past, and also information of encrypted volumes that were mounted on the system before.

Overview

Shellbags are created when a user visits a folder on the operating system at least once. This means that they can be used to prove that a user has accessed a particular folder at least once before.

Windows saves the information to the following Registry keys:

  • HKEY_USERS\ID\Software\Microsoft\Windows\Shell\Bags
  • HKEY_USERS\ID\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_USERS\ID\Software\Microsoft\Windows\ShellNoRoam

If you analyze the BagMRU structure you will notice many integers stored under the main key. Windows stores information about the recently opened folders here. Each item is related to a sub-folder on the system which is identified by binary date stored in those sub-folders.

The Bags key on the other hand stores information about each folder including its display settings.

Additional information about the structure are provided by a paper called "Using Shellbag information to reconstruct user activities" which you can download with a click on the following link: (Download Removed)

You can delete the Registry keys according to Microsoft to reset the settings for all folders:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU
  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

On 64-bit systems additionally:

  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\Bags
  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

Afterwards, re-create the following keys:

  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

On 64-bit systems additionally:

  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\Bags
  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

Software parsers

Software has been created to parse the information and display it in an easy to analyze way. There are quite a few programs available for that purpose. Some have been created to retrieve forensic evidence while others to clean the data for privacy.

Shellbag Analyzer & Cleaner is a free program by the makers of PrivaZer that can display and remove Shellbag related information.

shellbag analyzer

You need to click on the analyze button to scan the system for Shellbag related information. The application displays all entries, existing ones and for folders that have been deleted, by default.

You can use the menu at the top to only display deleted folders, network folders, search results, existing folders or control panel and system folders.

Each entry is displayed with its name and path, the last time it was visited, its type, slot key in the Registry, creation, modification and access time and date, as well as windows position and size.

A click on clean displays options to remove specific types of information, but not individual entries, from the system. If you click on advanced options, you get additional features such as an option to overwrite the information, backup, or scramble the dates.

clean shellbags

A success message is displayed in the end that informs you about the status of the operation.

Update: a new version of ShellBag Analyzer + Cleaner was released in April 2021. It introduced improved scans and scan speed, as well as an optimized user interface. End

Here are some alternatives that you can use instead:

Summary
How to remove old Shellbag entries in Windows
Article Name
How to remove old Shellbag entries in Windows
Description
How to remove Shellbag information from Windows to improve your privacy.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Dan said on February 13, 2023 at 12:14 pm
    Reply

    Why do you post links to pages that are Forbidden (https://cdn.ghacks.net/wp-content/uploads/dlm_uploads/2014/06/p69-zhu.pdf)

  2. Anonymous said on January 29, 2022 at 12:41 pm
    Reply

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell]
    “BagMRU Size”=dword:00000001

  3. jozomafijozo said on August 7, 2016 at 6:24 pm
    Reply

    The simplest solution for shellbag issues is not to use Windows Explorer.
    I just tried opening a folder and playing a video in it with XYplorer and Lastactivityview did not register any action.
    But XYplorer is not recommended for privacy because it also remembers opened files/folders and to disable that feature you have to buy pro version.
    Also, make sure to disable prefetch and superfetch (even if you have ssd) jumplists and userassist for more privacy.

  4. Bob said on June 9, 2014 at 10:12 pm
    Reply

    I wonder if System Ninja or UnCleaner will add this Shellbag cleaning functionality sometime in the future?
    I really like those softwares.

  5. Dexter said on June 9, 2014 at 8:24 pm
    Reply

    Here’s my PowerShell script that I use after installing Windows, it disables saving ShellBag and few other things by setting ACL to deny write for Everyone http://pastebin.com/Suq9iPYX
    Save it with ps1 extension and run with admin privilages
    PowerShell -ExecutionPolicy Bypass -Command “& ‘PATH_TO_SCRIPT'”
    If you have any other keys that can be disabled this way please post it here

    1. Cas said on February 22, 2015 at 2:57 pm
      Reply

      Thank you!

    2. r2 said on June 20, 2014 at 2:06 am
      Reply

      Dexter, that’s brilliant! Thank you for sharing the script.
      I have added the script call to my batch file that I use after installing windows.

  6. Dwight Stegall said on June 9, 2014 at 6:38 pm
    Reply

    I don’t understand who I would be hiding this information from? I’m the only user of this computer and no one else lives here.

    1. Pants said on June 10, 2014 at 6:38 am
      Reply

      ^^^ I kind of agree with Dwight here. Those who really need to be covert should probably be using something like TAILs, or a Linux distro, and other system-wide methods of protection in the first place (encryption).

      However, “D:\Porn\Midget Cosplay\” might be something the average husband wants to keep from his uber-tech-savy wife :) Also, simply following good cleaning practices against computer forensics is never a bad idea.

    2. AlS said on June 9, 2014 at 7:05 pm
      Reply

      FYI – deleting the current entries still doesn’t erase ALL your history. As the Zhu paper cited points out:
      “The ShellBag information analysis method is extended from
      the Registry snapshots comparison method described in Zhu
      et al. (2009b). The Registry snapshots are, by default, created
      within System Restore Points to back up the Windows Registry
      every 24 calendar hours and possibly more frequently when
      certain events occur such as the installation of new software
      (Harder, 2001). So if the current Windows Registry can be
      considered as the most recent snapshot of itself with all the
      Windows Restore Points containing earlier snapshots.”

      1. Darf Dorff said on May 5, 2017 at 9:27 pm
        Reply

        So then you must delete all the past restore points on your system to achieve certain shellbag cleanliness.

  7. ilev said on June 9, 2014 at 4:28 pm
    Reply

    It is time for Microsoft to get rid of the registry.

    1. Swapnil said on June 11, 2014 at 1:00 pm
      Reply

      Microsoft can’t remove the registry because it’s in Windows Phone and Windows RT also, along with the full Windows 8. It has an important purpose. What Microsoft should do is disable apps’ access to registry – something it already does for WinRT apps. Yes, Windows Phone has a registry (not accessible by any means, used only by the OS, apps can’t access it), and I am sure it also has a lot of other things like the Windows servicing stack for update deployment – all these things hidden and restricted from the user and the apps. This is what should be done.
      The next major version of Windows (Windows 9?) will bring windowed Modern/WinRT apps, thus solving all the productivity issues (like not being able to multi-task) which should encourage app developers to port their Win32 apps to WinRT, which should mostly solve the Registry issues over the coming years.

  8. Pants said on June 9, 2014 at 4:27 pm
    Reply

    – You can see folders viewed in Explorer using Nirsoft’s LastActivityView ( http://www.nirsoft.net/utils/computer_activity_view.html ).
    – CCleaner ( with winapp2.ini ) listed under Cleaner>Applications>Windows>Windows 7/8 Shellbags* can clean shellbags
    – PrivaZer’s Shellbag Analyzer & Cleaner is portable ( as is their main cleaner PrivaZer, which also includes shellbag cleaning ).

  9. hessam said on June 9, 2014 at 4:08 pm
    Reply

    if you want dont store anything rightclick on registry key and select permissions
    add “everyone ” and give it deny if any other user have give them deny.
    so nothing saved.
    also i use this method for Notification Area Icons cache
    HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify

    and MuiCache
    HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

    1. Ed said on August 5, 2014 at 3:20 am
      Reply

      Be cautious in using this tool. It crashed my Windows 7 64-bit system, because of the Registry changes it made.

      Make sure you have a RELIABLE registry backup. I recommend the registry autobackup utility ERUNT – The Emergency Recovery Utility NT – freeware by Lars Hederer from:

      http://www.larshederer.homepage.t-online.de/erunt

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.