top of page
Search

Understanding AppCompatCache tool for ShimCache Forensic Analysis

  • Feb 1, 2024
  • 2 min read

Updated: Feb 13

Introduction to AppCompatCache

AppCompatCache, also known as ShimCache, is a valuable forensic artifact in Windows systems that helps investigators track application execution. Even if an attacker removes their tools from a system, AppCompatCache can still retain traces of their presence, making it a crucial piece of forensic evidence.


In this article, we will explore how to extract and analyze AppCompatCache data using two widely used forensic tools: Eric Zimmerman's AppCompatCacheParser and Mandiant’s ShimCacheParser.py.

-----------------------------------------------------------------------------------------------------------

Extracting AppCompatCache Data

1. Using Eric Zimmerman's AppCompatCacheParser

Eric Zimmerman's AppCompatCacheParser is one of the most widely used tools for extracting and analyzing ShimCache data. It supports both live systems and offline registry hives, ensuring that all historical data is captured.


Installation & Execution

  • Download AppCompatCacheParser from Eric Zimmerman’s GitHub repository.

  • Open Command Prompt and navigate to the folder containing AppCompatCacheParser.

  • Execute the following command: (I have collected artifact using Kape than mounted the drive and than run appcompactcacheparser)

.\AppCompatCacheParser.exe -f G:\G\Windows\System32\config\SYSTEM  --csv "E:\Output for testing\Website investigation" --csvf appcompact.csv

Key Features:

✔ Parses all control sets in the SYSTEM hive to ensure no historical data is missed.

✔ Works on live systems and offline registry hives.

✔ Provides output in CSV format for easy analysis.


Output:

-----------------------------------------------------------------------------------------------------------


2. Using Mandiant’s ShimCacheParser.py

ShimCacheParser.py is a lightweight Python-based tool developed by Mandiant that extracts ShimCache data from exported .reg files. This makes it particularly useful for large-scale remote investigations.


Installation & Execution

  • Ensure Python is installed on your system.

  • Download ShimCacheParser.py from Mandiant’s official repository.

  • Export the AppCompatCache registry data using reg.exe:

reg export HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache AppCompatCache.reg

Run the ShimCacheParser:

python ShimCacheParser.py <Path to exported .reg file>

Key Features:

✔ Extracts ShimCache data from exported .reg files, making it ideal for remote collection.

✔ Provides forensic insight even if the SYSTEM hive is unavailable.

✔ Supports automation in large-scale investigations


-----------------------------------------------------------------------------------------------------------


🔍 Analysis Tips:

  • If an attacker deleted a file, its entry might still be visible in AppCompatCache.

  • If the InsertFlag is set to 0 but Prefetch evidence exists, the executable likely ran.

  • Comparing AppCompatCache data with Prefetch and Event Logs can confirm execution.


-----------------------------------------------------------------------------------------------------------

Conclusion

AppCompatCache remains a powerful forensic artifact that helps investigators track file presence and potential execution. While it has its limitations, pairing it with other forensic evidence—such as Prefetch files, Event Logs, and $MFT analysis—enhances accuracy in digital investigations.


By using tools like AppCompatCacheParser and ShimCacheParser.py, forensic analysts can efficiently extract and analyze this critical data to uncover malicious activity.

🚀 Stay updated with forensic research to refine AppCompatCache analysis techniques!

-----------------------------------Dean---------------------------------------------------------


 
 
 

Comments

bottom of page