Remove ShellBags in Windows for Privacy

Remove ShellBags in Windows for Privacy

comments

Every single folder that you've ever accessed on your computer has information stored about it.

Even after you've deleted the folders, this information still persists.

And this goes for folders that you've created on encrypted hard drives, too.

Microsoft refers to this data as ShellBags. The purpose of ShellBags is to remember the date, size, position, view and icon of folders in Windows Explorer.

This leaves you seriously exposed to any digital forensic analyst who might be searching through your hard drive.

You thought the folder that you had created last year on do-it-yourself nuclear weapons was gone forever? Think again! What about the USB drive with top-secret government files you had on it? Yep. Information about that too is being stored on your computer.

shellbag-analyzer-output

Don't worry though. I'll show you how to disable ShellBags on your Windows computer and then how to clean up any existing data that is remaining.

Step #1

Open your registry editor by going to Start, and then Run and typing in regedit

shellbags-run-regedit

Step #2

Microsoft has a list of subkeys used for ShellBags which we'll be using for this guide.

Once you have the registry editor open, you'll want to delete the following subkeys:

You can copy and paste these subkeys directly into the registry editor

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags
  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

If you're running a 64-bit OS, delete these keys too:

  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\Bags

Please note that this guide covers multiple Windows operating systems (XP, Vista, Windows 7, Windows 10) and your distro may or may not include some of these subkeys. If the subkey isn't on your system, you don't have to worry about deleting it.

shellbags-run-registry-delete-key-bagmru

shellbags-run-registry-delete-key-confirm


Step #3

Now you'll need to re-create these keys:

  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

If you're running a 64-bit OS, create these keys too:

  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\Bags

Since this guide covers multiple Windows OS distros, you may or may not require some of these subkeys. For example, if you don't have HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell, then don't worry about creating the BagMRU key inside of it

shellbags-registry-new-key

shellbags-registry-new-keys-created

Step #4

Go to Computer\HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell

Right-click Shell -> New and then click DWORD (32-bit) Value

Name it BagMRU Size. And for the value data put 1

shellbags-registry-editor-new-dword

shellbags-registry-editor-new-dword-value-2

ShellBags have now been disabled on your computer.

Congratulations! ShellBag data will no longer be stored on your computer.

Clean up old ShellBags

Now that you've disabled ShellBags, you'll need to clean up all of the existing information still stored on your computer.

There's a program for viewing and deleting ShellBags called Shellbag Analyzer & Cleaner.

To verify that ShellBags are disabled on your system, click the Analyze button. You'll see all of the information currently being stored on your system. Click Clean. Then create a new folder on your desktop called Testing. Click the Analyze button again. If you don't see anything in the list, you've successfully disabled ShellBags.

shellbag-analyzer-output-clean

Network shares

I tested this out fully in Windows 10 Pro on the hard drive that my OS is on, a secondary hard drive, multiple USB sticks and a Samba network share.

Everything besides my network shares aren't being stored in ShellBags anymore.

If someone knows how to disable ShellBags for network shares, please post a comment and let me know!

shellbags-network-shares