ShimCache and AmCache Forensic Analysis 2025

C:\Windows\AppCompat\Programs\Amcache.hve

C:\AppCompat\Programs\RecentFileCache.bcf

• SHA1 hash isn’t always a full file hash (only up to 30 MBs).
• Doesn’t contain process arguments, user associated with execution, or execution times.
• Due to the artifact’s complexity, entries should generally not be used to prove program execution. Safer to interpret data as evidence of existence.**
• Artifact is complex and has changed numerous times since its inception, making it difficult to understand and leverage all the data it has to offer.

• Data can prove files existed on disk even after file deletion.
• Provides insight into installed applications, along with how it was installed.
• SHA1 hash for PE files and drivers allows for file reputation checks to be done even after files have been deleted.
• Stores comprehensive metadata for PE files and DLLs such as file size, SHA1, and PE header info like CompanyName, FileVersion, etc.

• Blanche Lagny: Analysis of the AmCache
• binary foray: (Am)cache still rules everything around me (part 2 of 1)
• binary foray: AmcacheParser: Reducing the noise, finding the signal

SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache

SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

• Records a max of 1024 entries.*
• Doesn’t prove execution in Windows 10+.**
• Doesn’t record execution time, historical information (run count), user, or arguments.
• Resides in memory and is only written to Registry on proper system reboot/shutdown.***

• Show file execution.****
• Useful in triage phases to identify potential files of interest
• Prove file existence on disk, including PE files from UNC paths and USB devices.
• Proximity in cache position can be used to find other interesting files that may have been added around the same time
• Can be used to provide insight into files that have potentially been moved or renamed as they will be re-shimmed with the new path but same File modification timestamp.

• Microsoft Security: Guidance for Incident Responders
• 13Cubed: Shimcache Execution Is Back – What You Need to Know!
• 13Cubed: Let’s Talk About Shimcache – The Most Misunderstood Artifact
• ØSecurity: AppCompatCache Deep Dive
• WithSecure: Unleashing the Power of Shimcache with Chainsaw
• Andrew Davis: Leveraging the Application Compatibility Cache in Forensic Investigations
• Mandiant: Caching Out: The Value of Shimcache for Investigators
• Alex Ionescu: Secrets of the Application Compatilibity Database (SDB) – Part 1

Example Folders

C:\users\*\Desktop

C:\ProgramData\Microsoft\Windows\Start Menu\

Data Available

• ShortcutPath: Path to LNK file.
• ShortcutTargetPath: Path to target (what LNK file points to).

Generally contains information about files that have been executed and needed to be shimmed, exes that exist in specific folders (scanned from scheduled task), or were put on the system from an application install.

• ProgramId: ID used to map file back to installed applications under the InventoryApplication key.*
• FileID: SHA1 hash of file (first 30MBs).
• LowerCaseLongPath: Full file path on disk.
• Size: File size in bytes.
• BinaryType: Determine type of binary (32 vs 64 bit).
• PE header Info if Available:
  • OriginalName
  • ProductName
  • BinFileVersion
  • BinProductVersion
  • LinkDateExecutable

Contains metadata about installed and uninstalled programs.

• ProgramId: ID used to map associated exe/dlls put on disk from the install process under the InventoryApplicationFile key.
• Source: How the application was installed.
  • MSI  = installed via MSI.
  • AppxPackage = New MSIX installer (usually from Microsoft Store).
  • AddRemoveProgram = Installed via exe.
• Publisher: Company organization from Singing Certificate.
• RootDirPath: Where the application was installed.
• Name: Name of the application installed;
• Version: Version of application installed.

Contains metadata about installed Drivers and is updated via the Microsoft Compatibility Appraiser task.

• Key Name: Full path to driver on disk.
• DriverID: SHA1 hash (first 30 MBs).
• DriverSigned: Value 1 means it’s signed.
• DriverIsKernelMode: Value 1 means it’s a kernel driver.
• Service: Windows service name.
• Product: ProductName from PE header.
• DriverLastWriteTime: Last time drive was updated.

• Absolute path to the executable: Indicates where file was on disk.
• Last modified timestamp:  Modify timestamp of file. Can be used to create a timeline of activity for when the file existed on the system.
• Cache Entry number: Cache location. Generally the lower the number the more recent the entry. Entries with close proximity generally indicate files added to the cache in relatively close proximity. This can help identify other files of interest.

• Adam Harrison: Available Artifacts – Evidence of Execution
• jIIr: Exploring the Program Inventory Event Log

• Andrew Rathbun and Lucas Gonzalez: New Windows 11 Pro (22H2) Evidence of Execution Artifact!