ShimCache (AppCompatCache)

WindowsExecution EvidenceDisk Image

Location

SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Description

Application Compatibility Cache stored in the SYSTEM registry hive, recording file path, size, and last modification timestamp for executables the OS considered for compatibility shimming.

Forensic Value

ShimCache records executables that existed on disk even if they were never executed (on Windows 10+, execution flag is no longer set). Entries are ordered chronologically and written to the registry only at shutdown, making the insertion order a coarse timeline. Useful for confirming an attacker tool was present on disk at a particular time.

Tools Required

KAPEAppCompatCacheParser (Eric Zimmerman)RegRipper

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target RegistryHives

AppCompatCacheParser

AppCompatCacheParser.exe -f C:\output\SYSTEM --csv C:\output --csvf ShimCache.csv

RegRipper

rip.exe -r C:\output\SYSTEM -p appcompatcache

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1059T1204.002T1036

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote