ShellBags

USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

ShellBags store Explorer's memory of how a user configured each folder — icon size, sort order, window position. Windows creates an entry for every folder a user opens, including network shares, ZIP archives and removable drives. The folder entry persists even after the source directory or device is gone, making ShellBags one of the most powerful proofs of interactive directory traversal available.

Key Name BagMRU (tree of binary PIDLs) + Bags\{n}\Shell (view settings) — each node in BagMRU represents one folder in the hierarchy

Trace Type Execution

Hive USRCLASS.DAT Primary location. A subset also exists in NTUSER.DAT under \Software\Microsoft\Windows\Shell\BagMRU.

Last Write Time Each BagMRU node carries its own Last Write Time — this approximates the last time a user opened or interacted with that specific folder, enabling timeline reconstruction across browsed directories.

User Specific Yes Entirely user-scoped. Each profile has its own USRCLASS.DAT and therefore its own independent ShellBag history.

Forensic Value

Prove folder access on disconnected devices: A ShellBag entry survives after a device is removed. Combine this tracking with RecentDocs to see what specific files were launched from those folders.
Map directory traversal timelines: Per-node Last Write Times build a chronological picture of exactly which directories a user navigated through and in what order.
Expose deleted folder access: If a suspect deleted a staging directory, ShellBags may still retain its full path and the timestamps of the last visit.

For more Info check out these Articles: RecentDocs