Understanding Microsoft’s Application Compatibility Cache (ShimCache) in Digital Forensics
- Jan 31, 2024
- 4 min read
Updated: Feb 13
Updated on 13 Feb,2025
Introduction to AppCompatCache
In the realm of digital forensics, one of the most valuable artifacts for tracking program execution is the Application Compatibility Cache (AppCompatCache), commonly known as ShimCache. This Windows feature was originally designed to handle application compatibility issues, ensuring that older programs can still function correctly on newer versions of Windows.
However, its forensic significance lies in the fact that Windows records executable files in this cache whether or not they require compatibility adjustments—and sometimes even before execution.
This ability makes AppCompatCache a powerful tool for forensic investigators, especially when examining systems where an attacker has attempted to cover their tracks. If malware or suspicious executables have been removed from a system, AppCompatCache might still retain evidence of their presence
-------------------------------------------------------------------------------------------------------
What is AppCompatCache (ShimCache)?
When a program runs, Windows may determine that it requires a compatibility fix or shim to function correctly. These fixes are applied through an internal database containing hundreds of predefined “shims.” This is where the term ShimCache originates. Even if an application does not require shimming, Windows still records its presence in the registry, which is what makes it so useful for forensic investigations.
How Windows Uses AppCompatCache:
Detects if an application requires compatibility adjustments.
Records details of the executable in a registry entry regardless of whether shimming is needed.
Updates this registry entry only when the system is shutting down or rebooting (for Windows 7 and later).
Because AppCompatCache records application activity even if the program does not execute, forensic analysts can use it to find traces of malware, penetration testing tools, or any executables dropped onto a system.
-------------------------------------------------------------------------------------------------------
Location of AppCompatCache in the Registry
The AppCompatCache data is stored in the SYSTEM hive of the Windows Registry. The path differs slightly depending on the operating system version:
Windows 7 and Later (Including Windows 11, Server 2008+):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCacheStores 1,024 entries.
InsertFlag exists but does not definitively indicate execution.
Windows XP and Windows Server 2003:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility\AppCompatCacheWindows XP: Limited to 96 entries.
Windows Server 2003: Can hold up to 512 entries.
Stores additional data, such as the last execution time (not available in later versions).
-------------------------------------------------------------------------------------------------------
Key Characteristics of AppCompatCache
1. AppCompatCache Entries Are Only Written on Shutdown/Reboot
Unlike other execution-based artifacts such as Prefetch, the AppCompatCache registry key is updated only when the system shuts down or reboots (starting with Windows 7). If the system is still running, recent entries exist only in memory and will not be present in an offline forensic analysis.
2. The InsertFlag Field is Unreliable
Windows Vista introduced the InsertFlag field, which was initially thought to indicate whether an application had executed. However, research has shown that the InsertFlag is not a definitive marker of execution. On modern Windows systems, it is common to find executables with Prefetch evidence of execution, yet their InsertFlag remains set to false in the AppCompatCache.
3. Entries May Be Created Even Without Execution
One of the most interesting forensic features of AppCompatCache is that executable files may be logged in the registry before execution. This can happen if an executable is simply downloaded, extracted, or viewed in Windows Explorer. As a result, it can provide valuable insights even when no actual execution occurs.
4. Multiple AppCompatCache Databases May Exist
Windows maintains multiple control sets within the SYSTEM hive, each potentially containing different AppCompatCache data. The active control set is located at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSetFor offline forensic analysis, you need to determine the current control set by checking the value in:
HKEY_LOCAL_MACHINE\SYSTEM\Select\CurrentAnalyzing historical control sets may provide additional forensic evidence.
-------------------------------------------------------------------------------------------------------
Forensic Analysis and Tools
We will talk about more in depth about two tool in next article. But i will give u name of tools lol.
1. Eric Zimmerman’s AppCompatCacheParser
2. Mandiant’s ShimCacheParser.py
Check out article link below:
-------------------------------------------------------------------------------------------------------
Practical Forensic Use Cases
1. Tracking Malware Execution
If an attacker launches a malicious payload and then deletes it, traditional artifacts like Prefetch or Event Logs might also be removed. However, AppCompatCache may still retain evidence of its existence.
2. Detecting Deleted or Renamed Files
If a tool like psexec is renamed after being downloaded, Windows will record multiple entries in AppCompatCache—one for each filename. This makes it an effective way to detect file renaming and modification tactics.
3. Identifying Time Manipulation
If the last modified time recorded in AppCompatCache differs from the executable's actual timestamp, it suggests that the file’s metadata was tampered with—possibly as an anti-forensic measure.
4. Finding Evidence of Pre-Execution
If an attacker downloads a malicious payload but never executes it, traditional execution-based artifacts like Prefetch won’t show any traces. However, AppCompatCache might still contain an entry if the file was simply viewed in Windows Explorer.
-------------------------------------------------------------------------------------------------------
If you ask me while Testing and limitation few things i noticed:
Example Scenario
Consider a folder named demo containing 1.exe to 100.exe:
Viewing Files: If you open the demo folder in Explorer and see only the first 24 executables without scrolling, and then run 100.exe from CMD:
After rebooting and parsing Shimcache with Eric Zimmerman’s AppCompatCacheParser, the output will show 100.exe as the first entry, followed by the 24 executables you viewed in Explorer.
Scrolling in Explorer: If you scroll down to 28.exe in the demo folder:
After rebooting and parsing Shimcache, the entries from 25.exe to 28.exe will appear at the top.
Important Considerations
Explorer vs. CMD: Only files viewed in Explorer are added to Shimcache. Viewing a folder in CMD does not create entries, but executing a file from CMD does.
-----------------------------------------------------------------------------------------------------------
From my point of view Shimcache is no longer reliable as evidence in Window 10 or 11.
-----------------------------------------------------------------------------------------------------------
Conclusion
AppCompatCache is an invaluable forensic artifact that provides insight into application presence and potential execution, even when traditional artifacts are unavailable. While it has limitations—such as unreliable execution indicators and the need for a system reboot to commit data—it remains a critical resource for tracking attacker activity.
-------------------------------------------------Dean -----------------------------------------------------
Stay ahead of attackers by mastering this powerful forensic artifact!
Comments