Protecting your Windows anonymity – ShellBags

windows 8_logoYou’ve probably seen or even used software on the Web that claims to clear your computer of cookies, unused registry entries, crapware and more. What these PC cleaners don’t do is remove what are called ‘ShellBags’. I suspect most people who use a PC don’t know what ShellBags are and how you might want to remove them.

ShellBags are registry entries which in the main store data on how folders are displayed in Windows Explorer. When you open and close folders in Windows Explorer, the Windows registry creates a ShellBag. These ShellBags provide a date and time stamp of your open and closed folders which links you to a particular action i.e. folder location on a Windows machine including a virtual drive path if you use an application like Parallels. These ShellBags provide an invaluable reference for removable devices, including previously mounted encrypted volumes among others. See Did you know? below.

Did you know? If you use TrueCrypt (which allows you to mount encrypted volumes) to encrypt your folders and files, ShellBags will still display the folders in the registry, including the full folder path and highlight whether you are using a virtual machine as well!

Windows stores the ShellBags in the following registry keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam (this is stored in the Shell subkey)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell (this is stored in the Shell subkey)
  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell (Only in Windows Vista/7 & 8)

If you value your privacy, then I’d suggest you look at disabling ShellBags. Before you do, you should know that making changes to the Window registry can damage your system. Therefore, I suggest you make a removable backup of your registry before progressing further:

  • Open > regedit.exe (type this into search) and navigate to: HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell
  • Left-click on the Shell key and in the right pane. Note: If you can see BagMRU Size then there is no need to undertake this step. If it isn’t there you will need to right-click and select New>DWORD 32-bit Value and name it BagMRU Size then set this value to 0 in Decimal view

If you are not confident in making changes to the Windows registry, then I suggest you download to your desktop the free ShellBag AnalyZer & Cleaner 1.9 software (this is the latest release). This software works on Windows 7 (32 bit), Windows 7 (64 bit), Windows 8, Windows Server, Windows Vista (32 bit), Windows Vista (64 bit), Windows XP.

How does this software work? It decrypts the binary data from the ShellBagsMRU location which is associated with each key in the registry, into human readable form.

  • Launch the application (you don’t need to install it) and click the ‘Analyze’ button
  • On completion of the scan, you will be presented with the number of ShellBags found, along with traces of deleted folders. You have the option of viewing all; folders on network / external devices; existing folders; control panel & system and search results
  • Click the ‘Clean’ button and then ‘Advanced Options’ and you have the option of: Scrambling dates; Cleaning invalid ShellBags and optimizing ShellBags
  • There is also a ‘Secure cleanup’ option which allows you to securely delete a HDD or SDD with one pass (all zeros) all the way up to six passes (US Army 380-19). The latter will take some time however. Then, all you need to do is click ‘Start’

If you do want to explore your Windows operating system and learn more about ShellBags and how they impact your privacy, I’m sure you will find this post most useful. Next week, I will be exploring the subject of preference lists (plists) on Macs (via the Finder) and how they store similar types of data to Windows ShellBags.

Safe surfing folks!

This entry was posted in privacy, windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *