Shimcache Decoded: Registry Execution Artifacts for IR Teams

Cybersecurity

Shimcache stores a history of every executable the Windows kernel has inspected for compatibility shims. Even without a definitive execution flag, it reconstructs file presence and lateral movement paths missed by other artifacts.

By Arjun Raghavan, Security & Systems Lead, BIPI · October 24, 2024 · 9 min read

Shimcache, formally known as AppCompatCache, is stored in the Windows registry at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache. It is part of the Application Compatibility infrastructure and records metadata about executable files that the Windows kernel has inspected to determine whether compatibility shims should be applied. The artifact exists on every Windows version from XP onward, with format changes at Vista, Windows 8, and Windows 10.

What Shimcache Records

Each Shimcache entry contains: the full file path, the file size (in older formats), the last modified timestamp of the file ($STANDARD_INFORMATION Modified time at the time the Shimcache entry was created), and an execution flag. The execution flag is the most contested element: on Windows XP and 2003, a set flag confirms the binary was executed on that system. On Windows Vista through Windows 7, the flag is less reliable. On Windows 8 and later, Microsoft removed the flag entirely. From Windows 8 onward, Shimcache confirms only that the binary existed at the recorded path: it does not confirm execution.

• Windows XP: up to 96 entries; includes file size and execution flag
• Windows Vista/7: up to 1024 entries; execution flag present but unreliable
• Windows 8/10/11: up to 1024 entries; no execution flag; file path and SI_Modified timestamp only
• Entries are stored in order from most recently inspected to oldest
• Cache is written from memory to the registry only at system shutdown

Parsing with AppCompatCacheParser

AppCompatCacheParser.exe (Zimmermann) handles all Windows format variants. Target the SYSTEM hive from an offline image: AppCompatCacheParser.exe -f SYSTEM --csv C:\output\ --csvf shimcache.csv. On a live system, parse the active registry with the -hive flag pointing to a shadow copy or volume snapshot mount. The output CSV includes CacheEntryPosition, Path, LastModifiedTimeUTC, and (where available) Executed.

1. Collect SYSTEM hive and its LOG files using KAPE (RegistryHives target)
2. AppCompatCacheParser.exe -f SYSTEM --csv C:\output\
3. In Timeline Explorer, sort by CacheEntryPosition ascending (position 0 = most recently seen)
4. Filter Path column for %TEMP%, Downloads, or non-standard application directories
5. Correlate LastModifiedTimeUTC against Amcache FileId timestamps for the same binary
6. Check for tool names associated with known attack frameworks: mimi, cobalt, beacon, cs, brc4

Lateral Movement Reconstruction

Shimcache on a target machine in a lateral movement chain will show the attacker's tools with timestamps predating those on the originating machine. If psexec.exe appears in Shimcache on SERVER-02 with a LastModified timestamp matching the binary found in Amcache on WORKSTATION-01, you have connected the two machines in the kill chain without relying on network logs. This cross-host artifact correlation is a core technique in enterprise incident response.

The Execution Debate: Shimcache as Presence Indicator

The forensic community debate over Shimcache as an execution indicator is settled for Windows 8+: it is a presence indicator, not an execution indicator. The kernel inspects executables during CreateProcess before they run, and also during file enumeration in some scenarios. A binary can appear in Shimcache because it was copied to the system and then immediately deleted before it ran. This is why Shimcache must always be corroborated by Prefetch (which requires actual execution to generate) before an execution conclusion is drawn.

• Presence confirmed: binary existed at the path at the recorded modification timestamp
• Execution possible: but not confirmed without Prefetch, Amcache, or other corroboration
• Anti-forensic evasion: attackers can trigger Shimcache entries for decoy binaries without executing them
• Absence does not exonerate: a binary executed during a session for which the shutdown never occurred (power cut, crash) may not appear in Shimcache

Multiple Control Sets and Recovering Overwritten Entries

The SYSTEM hive contains multiple ControlSet keys (ControlSet001, ControlSet002, and the virtual CurrentControlSet). Each ControlSet has its own AppCompatCache value. Older entries may survive in ControlSet002 after being overwritten in ControlSet001. Parse all control sets explicitly by mounting the hive and examining each one. AppCompatCacheParser handles this with the --all flag.

Shimcache is the widest-net artifact in the Windows execution ecosystem. It catches tools that never ran long enough to generate a Prefetch file and tools that were deleted before Amcache flushed. Use it to identify candidates, then validate each candidate with corroborating sources.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.