Understanding ShimCache And Execution Evidence In Digital Forensics

If you’ve ever thought, “I found m.exe in the ShimCache; therefore, m.exe ran on this device,” you may need to reconsider.

The ShimCache (AppCompatCache) is a Windows artifact that tracks application compatibility data, but its presence does not necessarily mean execution. Eric Zimmerman’s AppCompatCacheParser (GitHub) processes this data from the `SYSTEM\ControlSet001\Control\Session Manager\AppCompatCache` registry hive and generates a CSV with an “Executed” column (Yes/No).

Key Findings:

1. ShimCache ≠ Execution Proof

As noted by H. Carvey (blog), assuming ShimCache entries confirm execution is incorrect.
The parser marks execution based on the last 4 bytes of the registry entry (01 00 00 00 = Yes, else No).

2. False Negatives

Example: pestudio.exe appeared in Prefetch (confirming execution) but was marked “No” in ShimCache because its last bytes were `64 86 00 00` (not 01 00 00 00).

3. Tool Limitations

The parser’s logic assumes non-01 00 00 00 means 00 00 00 00, but Windows 10/11 use other values (e.g., 64 86 00 00).

You Should Know: Practical Forensics Commands & Steps

1. Extract ShimCache Manually (Windows)

 Dump SYSTEM hive for analysis 
reg save HKLM\SYSTEM C:\temp\SYSTEM.hiv

Parse with Eric Zimmerman's tool 
AppCompatCacheParser.exe -f C:\temp\SYSTEM.hiv --csv C:\output

2. Verify Execution via Prefetch (Windows 10/11)

 List Prefetch files (execution evidence) 
Get-ChildItem C:\Windows\Prefetch.pf

Parse with PECmd: 
PECmd.exe -f "C:\Windows\Prefetch\PESTUDIO.EXE-XXXXXX.pf" --json C:\output

3. Cross-Check with AmCache (Windows 8+)

 Extract AmCache.hve (if enabled) 
reg save HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\AmCache C:\temp\AmCache.hiv

Parse with AmCacheParser: 
AmCacheParser.exe -f C:\temp\AmCache.hiv --csv C:\output

4. Linux/Mac Alternative (SleuthKit)

 Analyze disk images for execution artifacts 
fls -r /dev/sda1 | grep -i "m.exe" 
icat /dev/sda1 [bash] > m.exe

What Undercode Say

ShimCache is a hint, not proof. Always corroborate with:
– Prefetch (execution logs)
– AmCache (installation tracking)
– Event Logs (4688 process creation)
– Memory Forensics (Volatility/Fortify)

Expected Output:

A comprehensive forensic report combining:

1. ShimCache entries (with execution flags).

2. Prefetch file timestamps.

3. Registry/AmCache data.

4. Timeline from `plaso/log2timeline`.

References:

Reported By: Mr Ahmed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Listen to this Post

Key Findings:

1. ShimCache ≠ Execution Proof

2. False Negatives

3. Tool Limitations

You Should Know: Practical Forensics Commands & Steps

1. Extract ShimCache Manually (Windows)

2. Verify Execution via Prefetch (Windows 10/11)

3. Cross-Check with AmCache (Windows 8+)

4. Linux/Mac Alternative (SleuthKit)

What Undercode Say

Expected Output:

A comprehensive forensic report combining:

1. ShimCache entries (with execution flags).

2. Prefetch file timestamps.

3. Registry/AmCache data.

4. Timeline from `plaso/log2timeline`.

References:

References:

Join Our Cyber World:

Share this:

Related Posts: