How to Remove Old Shellbag Entries in Windows for Privacy

Here’s a privacy remedy that most of us probably haven’t thought much about …

The Microsoft Windows operating system records information about window viewing preferences — known as ShellBag information — in the Windows Registry. It keeps track of several information such as the size, view mode, icon, access time and date, and position of a folder when a user uses Windows Explorer. What makes Shellbag information interesting is the fact that Windows does not delete them when the folder gets deleted which means that the information can be used to prove the existence of folders on the system.

Forensics use the information for instance to keep track of which folders a user has accessed. It can be used to look up when a folder was last visited, modified or created on a system.

The information can also be used to display contents of removable storage devices that were connected to the computer in the past, and also information of encrypted volumes that were mounted on the system before.

Overview

shellbags

Shellbags are created when a user visits a folder on the operating system at least once. This means that they can be used to prove that a user has accessed a particular folder at least once before.

Windows saves the information to the following Registry keys:

  • HKEY_USERS\ID\Software\Microsoft\Windows\Shell\Bags
  • HKEY_USERS\ID\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_USERS\ID\Software\Microsoft\Windows\ShellNoRoam

If you analyze the BagMRU structure you will notice many integers stored under the main key. Windows stores information about the recently opened folders here. Each item is related to a sub-folder on the system which is identified by binary date stored in those sub-folders.

The Bags key on the other hand stores information about each folder including its display settings.

Additional information about the structure are provided by a paper called “Using Shellbag information to reconstruct user activities” which you can download with a click on the following link:
p69-zhu.pdf (80 downloads)

You can delete the Registry keys according to Microsoft to reset the settings for all folders:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU
  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

On 64-bit systems additionally:

  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\Bags
  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

Afterwards, re-create the following keys:

  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

On 64-bit systems additionally:

  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\Bags
  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

Software parsers

Software has been created to parse the information and display it in an easy to analyze way. There are quite a few programs available for that purpose. Some have been created to retrieve forensic evidence while others to clean the data for privacy.

Shellbag Analyzer & Cleaner is a free program by the makers of PrivaZer that can display and remove Shellbag related information.

shellbag analyzer

You need to click on the analyze button to scan the system for Shellbag related information. The application displays all entries, existing ones and for folders that have been deleted, by default.

You can use the menu at the top to only display deleted folders, network folders, search results, existing folders or control panel and system folders.

Each entry is displayed with its name and path, the last time it was visited, its type, slot key in the Registry, creation, modification and access time and date, as well as windows position and size.

A click on clean displays options to remove specific types of information, but not individual entries, from the system. If you click on advanced options, you get additional features such as an option to overwrite the information, backup, or scramble the dates.

clean shellbags

A success message is displayed in the end that informs you about the status of the operation.

Here are some alternatives that you can use instead:

Link to Original Content

Tags: , , , ,

Comments are closed.