I always enjoy working on a Sunday Funday challenge from Dave that I can actually do (I'm terrible at scripting). So I decided to do some research and see what I could find.

It's been well documented just how shellbags work in terms of folder traversing and accessing but not as much information is shown in regards to some of the viewing settings for folders.

DISCLAIMER: Testing was done with Win7, so results may vary on Win10.

1. What within the shellbags entry would tell you how the user had set their directory viewing preferences (sort order, thumbnail view, standard view)?

You would first want to open up the following registry path:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\<Bag#>\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}

I prefer to use RegistryExplorer for this but there are multiple tools that can do the job. I also used ShellBagsView to help quickly correlate Bag # to a specific folder. We see the following 12 keys for the shell which we will breakdown:


I'm not entirely sure what Vid is but I'm going to assume here that it is the volume identifier (it was consistent across all the shells I looked at).

Sort is an obvious one, it determines what column is currently sorted on and if it is ascending or descending. After running RegistryChangesView, while sorting the Name column from ascending to descending you can see the last 4 bytes of hex change:



So it appears that the "01 00 00 00" refers to Ascending sort and "FF FF FF FF" refers to Descending. When sorting by Type, 24 extra bytes got added to the entry:

Before:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC 0A 00 00 00 01 00 00 00 

After:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC 04 00 00 00 01 00 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC 0A 00 00 00 01 00 00 00 

What we see is that when sorting by Type, it is actually sorting the Name column as well so that's where the added bytes are coming from (in green). The first 20 bytes don't seem to be important other than a change counter perhaps of how many columns sorted (went from 1 to 2 in yellow). I'm not sure what the first 16 bytes of each 24 byte chunk detail either (maybe a specific folder identifier?). Bytes 17-20 refer to the column being sorted (BOLD) and ITALICS is the bytes reflecting the Ascending/Descending:

0A 00 00 00 = Name
04 00 00 00 = Type
0E 00 00 00 = Date Modified
0F 00 00 00 = Date Created
0C 00 00 00 = Size

There are too many columns to do individual testing on each (at this time).

Rev seemed to be a switch (either 0, 1, 2), which lined up as follows:

0 - Blank (default?)
1 - Tiles
2 - Details

Below is a chart of the separate values for keys Mode, LogicalViewMode and IconSize (hex) that correlate with the different visual settings for folder contents in which Rev seems to be related:

StyleModeLogicialViewModeIconSize (In Pixels)
Extra Large Icons53256
Large Icons53128
Medium Icons5348
Small Icons2332
List3316
Details4116
Tiles6, 8216
Content4116

GroupView got assigned the value 4294967295 every time I chose an option from Windows Explorer:


GroupByKey:FMTID always seemed to be the same value every time as well so not sure of it's significance other than Microsoft being Microsoft.

For GroupByKey:PID, each category of grouping got an assigned PID value:


GroupingPID
Name10
Date Modified14
Type4
Size12
File Version4

I chose my default columns for testing but I'm sure as above with the sorting, each column will get a PID number (some may be duplicative as seen with Type and File Version).


Just a sample showing the change of value from 0 to 10 for Grouping by Name.

GroupByDirection was fairly easy to figure out:
0 = Ascending
1 = Descending

FFlags was a trickier one to actually get to work. I was only able to get it to change when a new shellbag was created, altering the value from default 1092616193 to blank. There could be more options that Win10 has for flipping these switches.

ColInfo needed some massaging but from the look of the data, it is keeping tracking of what columns are shown and in what order they appear in Windows Explorer. Here we have the default hex value of a folder with the standard 4 columns, Name, Date Modified, Type and Size (formatted for better viewing purposes).

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FD DF DF FD 10 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 18 00 00 00

30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC 0A 00 00 00 E9 00 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC 0E 00 00 00 7E 00 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC 04 00 00 00 50 00 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC 0C 00 00 00 50 00 00 00

What we see is some buffer information (possibly something relevant) in line 2 then we see the yellow hex which looks like it is a count of columns. We then see the 4 columns in lines 3-6, the same 20 bytes up until the last 4 (exact same bytes as above in Sort). Once we add the column for File Version we get this in ColInfo:

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FD DF DF FD 10 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 18 00 00 00

30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC 0A 00 00 00 E9 00 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC 0E 00 00 00 7E 00 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC 04 00 00 00 50 00 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC 0C 00 00 00 50 00 00 00
53 7D EF 0C 64 FA D1 11 A2 03 00 00 F8 1F ED EE 04 00 00 00 A0 00 00 00

The hex in yellow gets a bump to 5 and we see the extra column information in purple. The last test I did was to move the column File Version from slot 5 to slot 2, see how the hex values changed:

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FD DF DF FD 10 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 18 00 00 00

30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC 0A 00 00 00 E9 00 00 00
53 7D EF 0C 64 FA D1 11 A2 03 00 00 F8 1F ED EE 04 00 00 00 A0 00 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC 0E 00 00 00 7E 00 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC 04 00 00 00 50 00 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC 0C 00 00 00 50 00 00 00

The last 4 bytes for each column entry appears to be the width of each column but I don't know what sort of format that interprets to.


2. What is the default view if they don't change anything?

Your default view for all folders can be found at the following path:

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}

Default for me looks like this when a new shellbag is added:


This breaks down to Details view, sorting on Name ascending, 4 columns, and no grouping.

3. If a user attempts to access the system volume information directory and a shellbag entry gets created (it should deny them access) what directory viewing settings are left behind?

A shellbag entry does indeed get created for the folder as you can see from the output:


But when looking in RegistryExplorer at the key entry, you only get the following information:

Some more info on the KnownFolderDerivedFolderType and SniffedFolderType settings here in section 3.2.2.14.

It's amazing that this much information can be pulled out of a few simple values in the registry. While the information is not super significant, if it can help with a case then anything is better than nothing. It just goes to show that there is always more to learn about the Windows operating system.