Registry: HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell

The purpose of Shell bags is to store the information about the sizes and positions of the shell windows (that is explorer.exe and its views).

Two subkeys seem to play an important role:

• Bags
• BagMRU

Tools: RegRipper, sbags, ShellBags Explorer/SBECmd

Eric R. Zimmerman: Plumbing the Depths: ShellBags

Willi Ballenthin: Windows Shellbag Forensics

Microsoft's Property Store Binary File Format

https://web.archive.org/web/20180427090821/http:/www.4n6k.com/2013/12/shellbags-forensics-addressing.html