Loads the "information on the folder accessed by the user from local, network and removable storage devices" stored in the registry. Using the loaded data, you can check the time information of when a user accessed a specific folder, track evidence of deletion/overwriting of existing folders and track the MAC time for folder access through Explorer.


reg-shellbags [zipcharset=CHARSET] [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameter
Path to the registry file. Using a wildcard (*) in the file name, you can retrieve all files containing a specific string pattern in the file name (e.g. D:\data\registry\*). If you provided the zippath option, input the registry file path in the ZIP file.
Optional Parameter
Character set to be used to decode the ZIP entry name and comment that are not encoded by UTF-8 encoding. Use the preferred MIME name or aliases registered in the following document:
Path to the ZIP file


The output fields are as follows:

file_nameStringFile name
file_extStringFile extension
last_writtenDateLast written time
orderIntegerFile order by extension


  1. Retrieve information by providing the file path.

    reg-shellbags D:\data\registry\NTUSER.DAT
  2. Retrieve information when the zippath option is provided.

    reg-shellbags zippath=D:\data\ registry\NTUSER.DAT
  3. Sort the order field by file extension.

    reg-shellbags D:\data\registry\NTUSER.DAT
    | sort file_ext, order