UsrClass.dat / ShellBags

WindowsUser ActivityDisk Image

Location

C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat

Description

Per-user registry hive containing ShellBag entries that record folder view preferences for every folder a user browsed in Windows Explorer, including network shares, ZIP archives, removable media, and deleted folders.

Forensic Value

ShellBags persist evidence of folder access even after the folders are deleted. They record the full path of every directory browsed, including UNC paths for network shares, providing a map of what file locations the attacker explored. ShellBag timestamps include first and last interaction dates. This artifact is separate from NTUSER.DAT and often overlooked during collection. ZIP archive browsing entries prove the user opened archive files that may have contained malicious payloads.

Tools Required

KAPEShellBags Explorer (Eric Zimmerman)Registry Explorer (Eric Zimmerman)RegRipper

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target RegistryHives

SBECmd

SBECmd.exe -d C:\output --csv C:\output --csvf ShellBags.csv

ShellBags Explorer

Load UsrClass.dat in ShellBags Explorer (GUI) for interactive analysis

RegRipper

rip.exe -r "C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat" -p shellbags

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1083T1005

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote