ShimCache (AppCompatCache)

windowsExecution EvidenceDisk Image

Location

SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Description

Application Compatibility Cache stored in the SYSTEM registry hive, recording file path, size, and last modification timestamp for executables the OS considered for compatibility shimming.

Forensic Value

ShimCache records executables that existed on disk even if they were never executed (on Windows 10+, execution flag is no longer set). Entries are ordered chronologically and written to the registry only at shutdown, making the insertion order a coarse timeline. Useful for confirming an attacker tool was present on disk at a particular time.

Tools Required

KAPEAppCompatCacheParser (Eric Zimmerman)RegRipper

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical