AppCompatCacheParser

How to use AppCompatCacheParser to parse the Windows ShimCache or AppCompatCache registry in order to provide evidence of program execution during incident investigations.

AppCompatCacheParser is a command line tool developed by Eric Zimmerman, to process the ShimCache (AppCompatCache) on Windows operating systems, identifying items such as:

Executable filepaths
Timestamp of last execution

Results can output the hive entries files into .csv for further analysis. Further Information the ShimCache can be found on Darkcybe - Evidence of Execution

Tool Name

Version

MITRE ATT&CK Tactic

MITRE ATT&CK Technique

AppCompatCacheParser

V1.5

Execution

Instructions

Parsing the ShimCache (AppCompatCache) on a Live System

appcompatcacheparser.exe --csvf %OUTPUT_FILENAME%.csv --csv %OUTPUT_DIRECTORY%

Parsing the ShimCache (AppCompatCache) from a Forensic Copy

appcompatcacheparser.exe -f /PATH/TO/SYSTEM hive --csvf %OUTPUT_FILENAME%.csv --csv %OUTPUT_DIRECTORY%

Interesting Fields

Path: Full filepath of executable
LastModifiedTimeUTC: Timestamp in UTC of last modification
Executed: Execution flag (applications can be shimmed without being executed)

Output

Sources

Eric Zimmerman

PreviousJumpListExplorer (JLE)NextSrumECmd

Last updated 2 years ago

hashtagInstructions

hashtagParsing the ShimCache (AppCompatCache) on a Live System

hashtagParsing the ShimCache (AppCompatCache) from a Forensic Copy

hashtagInteresting Fields

hashtagOutput

hashtagSources