include cleaning of ShellBags from the registry

[mta]

I have just become aware of registry entries covering the area referred to as ShellBags.

 

Basically it's a half dozen or so registry hives that contain every file you ever opened along with the date/time, windows position and size, icon used and a bunch of other data.

 

So apart from the forensic side of cleaning it, I was surprised there were so many and although the info they contain doesn't worry me, I was surprised I had so many.  Something like 40,000 were removed.

 

Anybody have any deeper knowledge of this area and potential dangers if CC were to include them?

[Augeas]

Can't find any on my Win8 box. I looked in HKCU\ Software\Microsoft\Windows\Shell, about a dozen entries in Bags, but nothing that looked lime the data you mentioned.

 

This ShellBags parser was recommended by SANS Forensics, so should be safe. I'll try it later, under Sandboxie. https://tzworks.net/prototype_page.php?proto_id=14 (can download it, don't know if it's free).

 

By the way, what method did you use to remove your entries?

[mta]

I came across another cleaning program that shall not be named as I've been looking into what other programs do in an attempt to see what else I could add to my INCLUDES.

And when this program, under their Windows History section mentioned ShellBags and found all these files that I have opened, dating back years, with folder locations, dates, sizes extra, I got curious.

It did its scan, I checked the results, let it do its thing - took almost an hour to go through them all.  It even did a reg backup prior to the clean.

 

So I'm now wondering if there is anything adverse that people would know about (above the normal caution of touching anything in the registry) and if whether it could be included in CC one day.

[Andavari]

It would help to post some registry key locations for us fellow tinkerer's to look at. I know of a cleaning program that cleans a ton of the stuff mentioned, but that program digs so deep I'm leery of it.

[mta]

the cleanup program picked on these keys for my Win8 PC;

 

HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU

HKCU\Software\Microsoft\Windows\Shell\BagMRU

HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

HKCU\Software\Classes\WOW6432Node\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

[dvdbane]

i only list what i found in winapp2.ini

 

[Windows XP ShellBags*]
DetectOS=|5.1
LangSecRef=3025
Detect=HKCU\Software\Microsoft\Windows\ShellNoRoam
Default=False
Warning=This will delete window size, window position and view setting of all folders.
RegKey1=HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU
RegKey2=HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags

 

[Windows 7/8 ShellBags*]
DetectOS=6.1|
LangSecRef=3025
Detect=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell
Default=False
Warning=This will delete window size, window position and view setting of all folders.
RegKey1=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
RegKey2=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

[mta]

Ah, good, so winapp2 does the job.

Didn't look in there did I.

Still, maybe CC will do the job itself one day.

 

Also, I have to research further, but from my first delve into this area I thought it was more detailed then simply cleaning those hive keys.