UsrClass.dat / ShellBags

windowsUser ActivityDisk Image

Location

C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat

Description

Per-user registry hive containing ShellBag entries that record folder view preferences for every folder a user browsed in Windows Explorer, including network shares, ZIP archives, removable media, and deleted folders.

Forensic Value

ShellBags persist evidence of folder access even after the folders are deleted. They record the full path of every directory browsed, including UNC paths for network shares, providing a map of what file locations the attacker explored. ShellBag timestamps include first and last interaction dates. This artifact is separate from NTUSER.DAT and often overlooked during collection. ZIP archive browsing entries prove the user opened archive files that may have contained malicious payloads.

Tools Required

KAPEShellBags Explorer (Eric Zimmerman)Registry Explorer (Eric Zimmerman)RegRipper

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical