reg-shellbags
Retrieves the history of folders recently accessed through Windows Explorer from an NTUSER registry hive file. ShellBags is registry data recorded when a user opens a folder in Explorer, and contains folder access times and path information.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Licensed command |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
zipcharset=STR- Character encoding for ZIP entry names. Use a Preferred MIME Name or Alias registered in the IANA Character Sets registry. (default:
utf-8) zippath=STR- ZIP file path. When specified, queries registry hive files inside the ZIP archive.
Target
FILE_PATH- NTUSER registry hive file path. Use a wildcard (
*) to query all files matching the pattern at once.
Output fields
| Field | Type | Description |
|---|---|---|
| _file | string | Registry hive file name |
| file_path | string | Folder path |
| file_size | string | File size (if the entry is a file) |
| key | string | BagMRU registry key path |
| access_at | timestamp | Access time |
| modified_at | timestamp | Modification time |
| mft_entry_index | binary | MFT entry index |
| ntfs_seq | integer | NTFS sequence number |
| order | integer | Order in the MRU (Most Recently Used) list |
| last_written | timestamp | Last write time of the registry key |
Error codes
Parse errors
N/A
Runtime errors
N/A
Description
The reg-shellbags command reads the Software\Microsoft\Windows\Shell\BagMRU key from an NTUSER registry hive file and parses ShellBags entries. ShellBags is an artifact automatically recorded by Windows Explorer when a folder is opened. It can include access history for deleted folders and removable media, making it valuable for user activity analysis in digital forensics.
Each record includes the MRU order, so you can identify the folder the user accessed most recently. A smaller order field value indicates a more recently accessed folder.
For NTFS file system entries, additional details such as MFT entry index, NTFS sequence number, file size, access time, and modification time are provided.
Examples
-
Retrieving ShellBags from an NTUSER hive file
reg-shellbags D:\evidence\NTUSER.DATRetrieves ShellBags history from the specified NTUSER registry hive file.
-
Querying an NTUSER hive file inside a ZIP archive
reg-shellbags zippath=D:\evidence\registry.zip NTUSER.DATRetrieves ShellBags history from an NTUSER registry hive file inside a ZIP archive.
-
Sorting by most recently accessed
reg-shellbags D:\evidence\NTUSER.DAT | sort orderSorts ShellBags history by MRU order, showing the most recently accessed folder first.
-
Querying multiple files with a wildcard
reg-shellbags D:\evidence\*\NTUSER.DATRetrieves ShellBags history from all NTUSER hive files matching the wildcard pattern.