ShellBags Explorer is a digital forensics utility developed by Eric Zimmerman for analyzing Windows ShellBag artifacts. ShellBags store information about folders a user has viewed in Windows Explorer, even if those folders no longer exist, making them a critical artifact for user activity reconstruction and timeline analysis.

The tool is designed for offline forensic workflows and is widely used in DFIR investigations, insider threat cases, and legal examinations.

First time seeing this?

What ShellBags Explorer Does

ShellBags Explorer parses ShellBag data from Windows Registry hives (primarily NTUSER.DAT and USRCLASS.DAT) to reveal which folders were accessed, when they were viewed, and how they were displayed. These artifacts persist even after folders are deleted, external drives are removed, or files are wiped.

ShellBags can expose access to local folders, removable media, network shares, and virtual locations, often providing evidence unavailable from logs or file system metadata.

Find Tool

Key Features of ShellBags Explorer

• Offline ShellBag Parsing
  Extracts ShellBag artifacts from registry hives without a live system.

• Deleted Folder Visibility
  Reveals folder access even when directories no longer exist.

• Accurate Timestamp Extraction
  Parses LastWrite times and associated ShellBag timestamps.

• Path and Location Reconstruction
  Identifies local paths, removable drives, network shares, and UNC paths.

• User Attribution
  Associates ShellBag activity with specific Windows user profiles.

• Detailed Metadata Display
  Shows folder view settings, size, and Explorer configuration data.

• Powerful Sorting and Filtering
  Enables rapid analysis across large datasets.

• Export Capabilities
  Outputs results to CSV for reporting and timeline correlation.

• Integration with DFIR Tooling
  Works seamlessly with Timeline Explorer, KAPE, and other Zimmerman tools.

Join CyberMaterial’s subscriber chat

Available in the Substack app and on web

Join chat

Advanced Use Cases

User Activity Reconstruction

Determine which folders a user accessed and browsed during a specific timeframe.

Insider Threat Investigations

Identify access to sensitive directories, external drives, or network locations.

Incident Response

Confirm attacker exploration of file systems post-compromise.

Anti-Forensics Detection

Reveal evidence of folder access despite file deletion or cleanup attempts.

Legal and Compliance Investigations

Provide defensible evidence of directory access and navigation behavior.

Report Incident

Latest Updates (as of 2026)

Recent maintenance and enhancements include:

• Continued support for Windows 10 and Windows 11 artifacts

• Improved parsing accuracy for complex ShellBag structures

• Performance optimizations for large registry datasets

• Ongoing alignment with Windows internals research

• Regular updates within the Zimmerman forensic ecosystem

ShellBags Explorer remains actively maintained and trusted across professional forensic workflows.

Check Jobs

Why It Matters

ShellBags are one of the most resilient Windows forensic artifacts, often surviving system cleanup, file deletion, and anti-forensic attempts. ShellBags Explorer transforms this low-level data into clear, actionable evidence of user behavior.

For investigators, it provides critical insight into what folders were accessed, when they were viewed, and how users or attackers navigated a system.

Visit Book Club

Requirements and Platform Support

ShellBags Explorer runs on:

• Windows

It requires:

• Registry hives (NTUSER.DAT and USRCLASS.DAT)

• Optional transaction logs for enhanced accuracy

Official site and documentation:

• https://ericzimmerman.github.io/

• https://github.com/EricZimmerman/ShellBagsExplorer