Skip to content
Hermes Codex

Shimcache (AppCompatCache) Forensic Analysis

Executive Summary

Section titled “Executive Summary”

The Shimcache, formally known as the Application Compatibility Cache (AppCompatCache), is a vital Windows component designed to resolve application compatibility issues. For digital forensics and incident response (DFIR) professionals, it serves as a long-term memory of executable files observed by the system. It is instrumental in proving file existence even if the files themselves have been deleted or never formally executed.

Objective and Mechanism

Section titled “Objective and Mechanism”

The primary philosophy behind the Shimcache is to identify applications that encountered compatibility issues and apply a “shim”—a small piece of code that intercepts and modifies application calls to ensure compatibility with newer Windows versions.

The mechanism is straightforward:

  1. When a user explores folders using Windows Explorer or executes a program, the OS reads the metadata of various executables.
  2. Metadata (full path, modification date, attributes) is cached to prevent future compatibility issues.
  3. This cache persists in memory and is written to the Windows Registry upon system shutdown.

Location and Structure

Section titled “Location and Structure”

The Shimcache is stored in the Registry within the SYSTEM hive: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\

It is stored as a single binary value containing a list of entries. Each entry represents an executable and is timestamped with the file’s Last Modification Time (UTC).

Forensic Utility

Section titled “Forensic Utility”

While Shimcache is considered a “weak detection” artefact, it is highly valuable for filling investigation gaps:

  • Proving Existence, Not Execution: The most critical nuance. Shimcache proves that a file existed at a specific path, but not necessarily that it was executed. Users may simply have navigated through the folder.
  • Persistence: Shimcache can retain traces of executables long after other artefacts like Prefetch or the original binaries have been deleted. This is often the only remaining evidence of a removed threat.
  • Contextualizing Execution: By comparing the Shimcache’s “Last Modification Time” with the creation time of Prefetch files, analysts can infer the time elapsed between a file’s introduction to the system and its first execution.

Analysis Tools

Section titled “Analysis Tools”
  • AppCompatCacheParser.exe (Eric Zimmerman): The industry standard CLI tool for extracting and parsing the Shimcache from an exported SYSTEM hive.
  • RegRipper: Features a dedicated appcompatcache plugin for automated analysis.

Detection and Hunting

Section titled “Detection and Hunting”

For advanced threat hunting, correlation is key. Correlate Shimcache findings with: