User Behavior

UserAssist: Applications opened

RecentDocs: Files and folders opened

Shellbags: Locations browsed by the user

Open / Save MRU: Files that were opened

Last-Visited MRU: Applications used to open files

UserAssist

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

  • {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} – A list of applications, files, links, and other objects that have been accessed.

  • {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} – Lists the shortcut links used to start progams

Recent Docs

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

The NTUSER.DAT file contains a "RecentDocs" section that lists recently accessed documents.

ShellBags

Shellbags store information about user interactions with directories through Windows Explorer. They are valuable because they provide insights into a user's activity, such as the folders they accessed or viewed, even if those folders were deleted or on a removable drive.

Shellbags store metadata about folders, including:

  • Folder paths (including those on external devices or network shares)

  • Timestamps (creation, modification, and access)

  • View preferences (e.g., list view, icon view)

  • Folder size and dimensions (in some cases)

  • Registry locations (indicating user profiles and activity)

NTUSER.DAT

  • HKCU\Software\Microsoft\Windows\Shell\BagMRU

  • HKCU\Software\Microsoft\Windows\Shell\Bags

USRCLASS.DAT

  • \Local Settings\Software\Microsoft\Windows\Shell\BagMRU

  • \Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

Also using Registry Explorer:

Also in NTUSER.DAT:

We can also use ShellBags Explorer:

Let's open UsrClass.dat:

PreviousDisk Analysis IntroductionNextOverview of disk structures, partitions and file systems

Last updated