search

Shimcache

Used to prove file existence and possibly what the TA saw in explorer.

File Location:

  • HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache

The cache stores various file metadata depending on the operating system, such as:

  • File Full Path

  • File Size

  • $Standard_Information (SI) Last Modified time

  • Shimcache Last Updated time

  • Process Execution Flag

Shimcache is a list of file metadata from executables that were recently executed, and thus examined for shimming, or executables examined for “the need to shim” but not executed.

LogoShimCacheforensafe.comchevron-right
Amcache and Shimcache in forensic analysisAndrea Fortunachevron-right
LogoDigital Forensics – ShimCache ArtifactsCount Upon Securitychevron-right
LogoDemystifying Shims - or - Using the App Compat Toolkit to make your old stuff work with your new stuff | Microsoft Community HubTECHCOMMUNITY.MICROSOFT.COMchevron-right
LogoWindows Wednesday: Application Compatibility CacheMediumchevron-right

hashtag
Parsing Data

hashtag
Considerations

  • HKLM\SYSTEM\Select - Determine what ControlSet is in use with the 'current' value.

ControlSet001 is in use.

  • 1024 Per ControlSet

  • Renaming or moving the file will cause it to be re-shimmed.

  • Executing the PE in a command line will cause it to be shimmed (if it wasn't already shimmed).

  • Tracks execution on ALL drives (C:\ D:\ etc).

  • Can no longer be used as evidence of execution on Windows 10/11.

  • Only flushed to the registry on reboot or shutdown.

  • Showing the file partially in explorer will still result in it being added to Shimcache.

Partial view of 27.exe
27.exe is at the top of the Shimcache entry position.

hashtag
Legitimate Execution

Each time an application with unique metadata is executed, a corresponding Shimcache entry will be created. In other words, new entries are created when an existing file’s metadata has changed and is re-executed.

hashtag
Psexec Considerations

Psexec modifies the $DATA attribute of the file every time it runs. Finding multiple Shimcache entries with different modified timestamps are an indication that psexec executed at those specified times.

Last Modified
Path
File Size

02/01/03 07:55:11

C:\WINNT\system32\Malware.exe

185552

10/08/13 20:02:05

C:\WINNT\PSEXESVC.EXE

53248

03/18/10 18:16:49

C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\ngen.exe

150856

12/10/10 22:39:02

d:\MSSQL.1\MSSQL\Binn\DatabaseMail90.exe

16224

07/25/08 16:17:35

C:\WINDOWS\Microsoft.Net\Framework\v2.0.50727\ngen.exe

100856

09/15/03 19:41:35

C:\WINNT\system32\Malware.exe

185552

10/11/12 11:22:23

C:\WINNT\PSEXESVC.EXE

53248

LogoCaching Out: The Value of Shimcache for Investigators | Mandiant | Google Cloud BlogGoogle Cloud Blogchevron-right

hashtag
Network Shimcache

Can be used as evidence of the file existing on a network share. This indicates that the user either navigated to the share using explorer.exe or that the malware executed on the share resulting in the p.exe executable being shimmed. Best paired with shellbags to determine which is true.

hashtag
Anti Forensics

  • Can compare timestamp in shimcache to original binary to compare timestamps. This can be used as evidence of TimeStomping.

  • Renaming a file will re-shim the binary, but the modification timestamp will not change. Because renaming to does not change contents of file.

Rename Evidence (close modification timestamp)

  • File deletion will NOT delete Shimcache entries.

Entries after file deletion.
PreviousPrefetchNextRecentApps

Last updated