This paper applies techniques for analyzing Shellbag registry information from Windows XP to Windows 10. The author conducts experiments opening, closing, deleting, and renaming folders to observe how user actions update Shellbag registry keys. The results show that while registry paths differ, Shellbag updating processes are generally similar between Windows XP and Windows 10, with updates primarily occurring when folders are closed. This has implications for digital forensics analyses relying on Shellbag information from live Windows 10 systems.
1. Application of Windows XP Shellbag Analysis
Techniques to Windows 10 Platform
Anna Bennett – Author; Dr. Narasimha Shahashidar - Advisor
Department of Computer Science
Sam Houston State University
Huntsville, Texas, USA
Abstract—Microsoft Windows XP has established techniques
and tools for obtaining and interpreting “Shellbag” information.
This paper takes those techniques and applies them to a virtual
instance of the beta release of Windows 10 to determine the
applicability of these techniques on this newest Microsoft
platform release.
Keywords—Shellbags; Registry; Analysis; Windows 10;
Windows XP; Digital Forensics
I. INTRODUCTION
Microsoft Windows XP has established techniques and
tools for obtaining and interpreting “Shellbag” information.
Shellbag files have serious potential implications in tracking
the activities of the user of a computer as they contain
information that controls certain settings of Windows Explorer
windows, such as size, location, and content view type.
Determining how and whether these techniques will continue
to be effective in Windows 10 will be of substantial forensic
value in determining user activities through the use of Shellbag
analysis. This paper will look at the techniques and analyses
by Zhu, Gladyshev, and James [1], and apply their techniques
to a virtual instance of the Windows 10 beta release. As a note,
because this analysis is being performed on a virtual instance
of a beta release, some things might vary between the findings
listed and findings on a future copy, or one that is not a virtual
instance. The primary reference of this paper is by Zhu,
Gladyshev, and James [1]. Their work was the inspiration for
this paper and consequently this paper should be viewed as an
extension of their paper to the Windows 10 platform.
Information for Shellbags stored in the registry is not in the
same location in Windows 10. The keys to look for are:
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell
A. Contribution
A method is proposed by Zhu, Gladyshev, and James [1].
That method will be applied to the Windows 10 platform and
its results analyzed for their applicable utility. The results will
be compared to the results obtained in their paper.
B. Organization
This paper is organized as follows: Section 2 gives a brief
overview of the information contained in Shellbags and the
importance of Shellbags in digital forensics. Section 3 gives an
overview of the experiments that were conducted and their
comparisons with the corresponding experiments in Windows
XP [1]. Section 4 discusses the connection between user
actions and Shellbag information updates. Section 5 concludes
and discusses the impact of this information.
II. OVERVIEW OF SHELLBAG INFORMATION
Shellbag information exists in registry keys and contains
information about the settings of windows explorer windows
that have been opened. The relevance of this is that, since
these keys are themselves files, they contain metadata about
when the Shellbag file was created, last accessed, modified,
etc. In fact, a Shellbag will only exist if the Windows Explorer
process has used a window to access the folder in question.
This is particularly useful in determining whether a user
actually accessed content on the computer, as opposed to its
existence due to a malicious download. Shellbag analysis can
be used in conjunction with more commonly used digital
forensics techniques in establishing a timeline for certain
activities on a computer by specific user profiles. In
conjunction with standard investigative work, they could
perhaps provide evidence for or against an alibi, depending on
if and when certain actions were taken on the computer.
III. EXPERIMENTAL ANALYSIS OF SHELLBAG INFORMATION
UPDATING
The main objective of this section is to explore how
Windows 10 stores and modifies Shellbags, as compared with
Windows XP, with particular emphasis on when that
information is updated by what user actions. Experiments run
under this section directly correspond to experiments run under
the corresponding section [1]. In each experiment
ShellBagsView [2], and ProcMon [3], the replacement for
RegMon [4], will be run to monitor changes to the registry.
Experiments listed below will be taken directly from the source
paper [1], with the exception of Experiment 9.
A. Experiment 1
Open a folder that currently has associated Shellbag
information and is located on the Desktop. This experiment
was designed in XP to observe user action associated with
Desktop folders[1] and their resulting Registry changes. The
experiment performed for the purposes of this paper seeks to
observe the same, and compare those observations to what was
observed in the XP experiments.
2. The first step in conducting this experiment was to
establish the contents of the Shellbag associated with the folder
in question. A folder was created on the desktop, content was
placed inside it, it was opened and closed and then the program
ShellBagsView was used to document its metadata.
Subsequently the folder was opened and the contents re-
examined in ShellBagsView. The contents were also viewed
both before and after the experiment in RegEdit [***], the
Windows tool to directly interact with registry keys.
i. Log Analysis
ShellBagsView recorded no change in data by the opening
of the folder. ProcMon records only a registry key set value on
the sniffed data part of the Shellbag associated with this folder.
RegEdit shows no change in the registry values for this
Shellbag.
B. Experiment 2
Close a folder that currently has associated Shellbag
information and is located on the Desktop. This experiment
was designed in XP to observe user action associated with
Desktop folders[1] and their resulting Registry changes. The
experiment performed for the purposes of this paper seeks to
observe the same, and compare those observations to what was
observed in the XP experiments.
Using the same folder as Experiment 1, it was closed and
the program ShellBagsView was rerun to establish current
Shellbag data. ProcMon was monitored and RegEdit was
checked at every step.
i. Log analysis:
The simple open and closing of the folder, without any
changes to its contents or its location, size, viewing options or
other, changes nothing associated with the Shellbag data.
However, upon closing the folder from the desktop, ProcMon
displayed 14 processes that were called to set or delete
Shellbag values for the Shellbag in slot 27, the slot allocated to
our folder. RegEdit shows no change to the Shellbag contents.
ii. Comparison to Windows XP results:
Effectively, although the path names are differing
somewhat, the results of this experiment are identical to the
one run in Windows XP. The folder’s Shellbag is updated upon
the closing of the folder, per the review of ProcMon. Because
no changes were being made to the viewing options of the
folder, in an attempt to ensure a very repeatable experiment,
there is no visible change to the register. This is likely because
any updates are merely duplicating the existing data.
C. Experiment 3:
Open a folder that currently has associated Shellbag
information and is not located on the Desktop. This experiment
was designed in XP to observe “user action associated with
non-Desktop folders”[1] and their resulting Registry changes.
The experiment performed for the purposes of this paper seeks
to observe the same, and compare those observations to what
was observed in the XP experiments.
i. Log analysis:
Opening Experiment Folder 2, not located on the desktop,
has the same results as Experiment 1: ShellBagsView reported
that no information in the Shellbag was changed by the
opening of the folder. ProcMon reported only the one sniff
process. RegEdit showed no change to the associated Shellbag
contents.
ii. Comparison to Windows XP results:
Again, the paths for the keys differ, but in the XP analysis,
there is an updating to the entire hierarchy of folders resulting
in the opened folder being the most recently used item [1] that
is missing in the Windows 10 processes. The simple opening
of a folder does not yet result in any changes to the registry
Shellbags.
D. Experiment 4:
Closing a folder that currently has associated Shellbag
information and is not located on the Desktop. This experiment
was designed in XP to observe “user action associated with
non-Desktop folders”[1] and their resulting Registry changes.
The experiment performed for the purposes of this paper seeks
to observe the same, and compare those observations to what
was observed in the XP experiments.
i. Log analysis:
No information contained by the ShellBagsView changed
by the closing of the file. However, there was substantial
Shellbag activity in the registry keys that was recorded by
ProcMon. At this point it is becoming obvious that
ShellBagsView might not be completely competent at
deciphering all the information on Shellbags that is available.
There are numerous references in ProcMon to a
ShellBags13…, which is not showing up as any of the
Shellbag numbers in ShellBagsView. ProcMon reported 17
calls to RegSetValue or RegDeleteValue for the
ShellBags30… location. RegEdit showed no change to the
Shellbag contents.
ii. Comparison to Windows XP results:
The XP analysis shows, again, a hierarchical updating of
folders, which is visible in the Windows 10 structure. But
given that some updating happened with the opening of the
folder in Windows XP, it is likely that either there is a
difference between the data that is updated, or that all the data
that is updated happens when the folder is closed, which is a
difference from the XP processes.
E. Experiment 5:
Open a folder that currently does not have associated
Shellbag information. This experiment was designed in XP to
observe what shell keys are “created when the user performs an
opening operation on a folder that does not yet have Shellbag
information”[1] The experiment performed for the purposes of
this paper seeks to observe the same, and compare those
observations to what was observed in the XP experiments.
This experiment proved to differ from the XP experiments.
Immediately upon the creation of the folder, despite not having
opened it, ShellBagsView reported a Shellbag slot was created
for it at slot 32, together with create/accessed times. ProcMon
reported 37 RegCreateKey, RegDeleteValue and RegSetValue
functions for slot 7, which is believed to hold data on the
different Shellbag slots. However, none of those processes
referenced slot 32, which means that there is no information in
3. the registry for a Shellbags32. And RegEdit showed a folder
32 for this slot that had not previously existed, but it did not
have the contents of the other Shellbag folders for folders that
had previously been opened and closed. So, this experiment
will proceed as if there were zero Shellbag information in
existence for the folder in question.
i. Log analysis:
ProcMon reported 34 RegSetValue, RegCreateKey or
RegDeleteValue processes upon the opening of the folder.
However, only one was for the slot 32, the slot that was created
for this folder. The others were mostly for slot 30, the parent
folder, and slot 7, the Shellbags data folder. The data included
in the ShellBagsView report did not change from its previous
contents.
At this point it is worth noting that a difference has been
found between opening a folder by using right-click: open in
new window, and a double click to open the folder in the
existing window. The registry process calls do not reference
the parent folder’s slot, only the Shellbag’s data folder slot,
when the new folder is opened using right click: open in new
window. RegEdit shows that there is a slot created for this
folder, but it has no contents that are found when looking at
Shellbags for folders that have been opened and closed.
ii. Comparison to Windows XP results:
The results in XP show an updating of the hierarchy, again,
of the parent folders when a new folder is opened. Since
attempting a new way to open the folder, there is a possibility
that the updating of the hierarchy of folders would happen
when using the traditional double click, which was being
specifically avoided in an attempt to mitigate the usual window
staggering effect which might update Shellbag data due to the
new location of the window. Otherwise, similar results
followed, even if some paths for registry calls vary.
F. Experiment 6:
Close a folder that currently does not have associated
Shellbag information. Current data: last modified::42
i. Log analysis:
Upon closing the folder, 13 calls to RegSetValue process
were reported by ProcMon, together with an additional call to
RegCreateKey and one to RegDeleteValue. It is likely that the
Registry key for this Shellbag has just been created and data
for it populated into the metadata for the file. Additionally,
since there were calls to processes for the Shellbag at slot 7, it
is likely that information in that file has also changed.
ShellBagsView reports only that the Slot Modified time has
been altered in the Shellbag for this folder. At this point the
validity of the information provided by ShellBagsView in this
platform is questionable. RegEdit now shows a fully populated
Shellbag folder for this folder.
ii. Comparison to Windows XP results:
In XP the system is reported to not create any new Shellbag
information for a new folder when it is first opened. This
differs somewhat from Windows 10, which immediately
creates a location for it, even if it is not a fully populated
folder. The XP process shows that the keys are not created
until after the closing of the folder. The population of the
Shellbags with the data happens similarly to XP [1].
G. Experiment 7:
Delete a folder that currently has associated Shellbag
information. This experiment was designed in XP to observe
whether the associated Shellbag would be deleted when the
folder was deleted [1]. The experiment performed for the
purposes of this paper seeks to observe the same, and compare
those observations to what was observed in the XP
experiments.
i. Log analysis:
Upon deleting two folders, one of which had a document,
ProcMon reported zero Registry changes to the relevant keys
and slots. ShellBagsView reports the continued existence for
the folders with no changes to their modified and access times.
RegEdit shows no change to the Shellbag associated with this
folder.
ii. Comparison to Windows XP results:
The XP analysis indicates that there was registry updating
that happened following the deletion of the file, but that there
was no additional registry activity that would indicate any
deletion of Shellbags or Shellbag data [1]. This is very similar
to what happens in Windows 10, with the exception that there
was absolutely no Shellbag registry activity whatsoever when
the folder was deleted.
H. Experiment 8:
Open a newly created folder with the same name as a
previously deleted folder which had associated Shellbag
information. This experiment was designed in XP to test
whether the impact of not having the previous Shellbag deleted
would impact future folders [1]. The experiment performed for
the purposes of this paper seeks to observe the same, and
compare those observations to what was observed in the XP
experiments.
i. Log analysis:
Upon the creation of the folder, Procmon reported
numerous calls changing data in the Registry Key for slot 7,
but nothing for any of the other slots. ShellBagsView continues
to report the Shellbag information for the old folder.
Upon opening the new folder Procmon reported a
RegCreateKey function for slot 31, the same slot as the
previous folder, and sniffed the contents. ShellBagsView
continues to report the same data as was in the Shellbag for the
old folder. RegEdit shows no change in the contents of the
associated Shellbag.
ii. Comparison to Windows XP results:
XP analysis shows that the new folder inherits the old
folder’s Shellbag. [1] This is identical to the analysis in
Windows 10.
I. Experiment 9:
Close the newly created folder with the same name as the
previously deleted folder which had associated Shellbag
information. This experiment was changed to supplement what
4. the author perceived was a lack of completion for Experiment
8, to give the processes a chance to finish updating the
Shellbag by processes that are triggered by the closing of the
folder.
i. Log analysis
Procmon reports numerous calls to RegSetValue, and a call
to RegCreateKey and a call to RegDeleteValue for the slot in
question. However, ShellBagsView, while updating the Slot
Modified Time, continues to insist that this ShellBag was last
modified at the same time as the old folder. RegEdit showed no
change to the contents of the Shellbag.
IV. ANALYSIS OF CAUSALITY BETWEEN USER ACTIONS AND
SHELLBAG INFORMATION UPDATING
Analysis of the Windows 10 Shellbag updating processes,
as compare to the Windows XP updating processes, shows that
they are generally very similar. The registry key paths have
changed, and the structure of the Shellbag folders may have
been somewhat altered, but their contents and purpose remains
the same.
Of note for forensic purposes is that the Shellbags do not
finish updating any information until the folder in closed.
Therefore, performing analysis on a live system, or on an
image taken of a live system, where there might be folders
open, judgement will need to be made on how those folders
came to be open, and what sort of updates to the Shellbags
might occur if the investigator were to close a folder. Though,
it is generally considered taboo to close folders on suspect
machines.
To summarize, updating of Shellbags in the Windows 10
system, seems to have shifted to a strictly post-closing process.
Future research in this area could include examining the
registry updates involved in changing windows viewing, size,
ordering, and other settings controlled by Shellbags.
ACKNOWLEDGMENT
The author would like to thank Dr. Shahshidar for the
suggestion of this research topic, Andrew Bennett for the use
of resources and contacts to obtain the beta copy of Windows
10, and Sam Houston State University, particularly the
Computer Science department, for the use of resources and
excellence of instruction that has been received.
REFERENCES
[1] Y. Zhu, P. Gladyshev, and J. James, (2009) “Using shellbag information
to reconstruct user activities,” [online]. Available
www.dfrws.org/2009/proceedings/p69-zhu.pdf
[2] ShellBagsView, V1.16 NirSoft products, www.nirsoft.net
[3] ProcMon – Process Monitor 3.1, M. Russinovich and B. Cogswell
[online], Sysinternals - Available technet.microsoft.com/en-
us/sysinternals/bb896645.aspx
[4] RegMon – M. Russinovich and B. Cogswell [online], no longer
available or usable on modern Windows systems.
[5] RegEdit- Windows Utility, included standard with Microsoft Windows.