ShimCache (AppCompatCache)
ShimCache is a feature on Windows operating systems that maintains metadata related to the presence and the possible execution of an executable. This artifact may be referred to as AppCompatCache, named after the registry key of the same name.
ShimCache does not track application execution on modern Windows systems.
Analysis
ShimCache can be located inside the SYSTEM registry hive:
SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache
The following information is generally available in the ShimCache:
- Executable File Path
- Executable File Last Modification Time
- Executable File Size (Windows XP only)
- Execution Flag (Windows )
The Last Modification Timestamp represents the filesystem modification time of the executable. Do not confuse this timestamp with execution.
However, there are exceptions where the last modification time can be interpreted as an execution time. For example, PsExec creates the service binary PSEXESVC.EXE on the destination machine, thus also updating the modification time to approximately the start of most recent PsExec session.
The forensics community has historically labeled ShimCache as an application execution artifact. However, since Windows Vista, ShimCache is not tracking the execution of applications. It only serves to prove that an executable exists or existed at some point.
Up to 1024 ShimCache entries are maintained on Windows 7 and newer operating systems.
The LastWriteTime of the AppCompatCache registry key is generally not forensically significant.
Investigation Considerations
ShimCache entries remain on the system even if the executable itself no longer exists on the system. Or if an executable was ran from a removable medium (i.e., a flash drive), the Prefetch file would remain on the host system with data indicating the full path of the executable.
ShimCache keeps track of executable existence on modern Windows systems (Vista+), it does not track appication execution.