ShimCache

ShimCache, also known as the Application Compatibility Cache, is an artifact in Windows operating systems that tracks executable files for compatibility issues. It is part of the Windows Application Compatibility Database, which the system uses to apply compatibility fixes, or "shims," to programs that require them to run properly on the current version of Windows.

The ShimCache maintains a list of executables that have been run on the system, their file paths, and the last modification date of the binary. This cache can be used to determine if an executable has been moved, renamed, or if its timestamp has been modified to hide the original creation date (time stomping).

Key Insights

The ShimCache registry keys vary depending on the version of Windows:

Windows XP:
- Registry Path: SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility
Windows 7 and newer:
- Registry Path: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

In the ShimCache:

The full path of the executable is stored.
Windows 7 and newer versions maintain up to 1,024 entries (compared to 96 entries in Windows XP).
Execution time is not available post-Windows XP.
Executables may be preemptively added to the database before actual execution, so the presence of an executable in this key does not confirm it was executed.

Analyzing ShimCache for Program Execution

ShimCache is particularly useful in scenarios where other forms of application execution data are missing. This can include identifying the presence of malware on devices, especially on Windows servers where other execution artifacts might not be available. The information from ShimCache is not definitive proof of execution but can indicate whether an executable was present on the system.

When analyzing ShimCache, forensic investigators typically look for:

Evidence of execution for known malware or tools used by an attacker.
Indicators of binary files being moved or renamed, which could suggest an attempt to evade detection.
Discrepancies in the recorded last modification times, which could indicate time stomping.

Tools for Analysis

To extract and analyze ShimCache data, forensic analysts might use tools such as:

Windows Registry Editor for manual inspection.
Command-line tools like reg.exe to query the registry keys.
Specialized forensic tools like ShimCacheParser or Mandiant's Redline which can parse the binary data structure of the AppCompatCache registry key.

PreviousMUI Cache NextAmcache

Last updated 1 year ago

Was this helpful?

Key Insights

The ShimCache registry keys vary depending on the version of Windows:

Windows XP:

Registry Path: SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility

Windows 7 and newer:

Registry Path: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

In the ShimCache:

The full path of the executable is stored.

Windows 7 and newer versions maintain up to 1,024 entries (compared to 96 entries in Windows XP).

Execution time is not available post-Windows XP.

Executables may be preemptively added to the database before actual execution, so the presence of an executable in this key does not confirm it was executed.

Analyzing ShimCache for Program Execution

When analyzing ShimCache, forensic investigators typically look for:

Evidence of execution for known malware or tools used by an attacker.

Indicators of binary files being moved or renamed, which could suggest an attempt to evade detection.

Discrepancies in the recorded last modification times, which could indicate time stomping.

Tools for Analysis

To extract and analyze ShimCache data, forensic analysts might use tools such as:

Windows Registry Editor for manual inspection.

Command-line tools like reg.exe to query the registry keys.

Specialized forensic tools like ShimCacheParser or Mandiant's Redline which can parse the binary data structure of the AppCompatCache registry key.