Also known as Application Compatibility Cache (AppCompatCache), Shimcache is a record of information about executable files that have run on the system. It typically stores the file name and path, the timestamp of execution, and other metadata. This feature is designed to ensure backward compatibility of older applications on newer versions of Windows. In older versions of Windows (such as 7/8), this artifact only indicated whether a file had been executed. However, in Windows 10, in addition to this feature, Shimcache also stores the names of executables visible in File Explorer.
Shimcache stores the following content:
Evidence of executable execution
Evidence of the presence of executable files (only records viewed via GUI, filenames listed from CLI will not populate this registry key )
It is worth noting that shimcache can be modified or deleted by attackers, so preserving the integrity of evidence when examining shimcache is crucial. Located at:
Note: If you do not see a key named âCurrentControlSetâ in the SYSTEM hive, you can select ControlSet001, as it is essentially the same as the current ControlSet001. The rest of the path remains the same.
Shimcache Parser
Shimcache data is not in a directly readable format like shellbags. We can use another tool by Eric Zimmerman, called AppCompatCache parser.
https://ericzimmerman.github.io/#!index.md
This tool is CLI-based. It will parse the artifact and create a CSV file with the output. We run it from the CLI to view the available parameters. Note: Run the command prompt as an administrator.
C:\Users\Administrator\Downloads\AppCompatCacheParser> AppCompatCacheParser.exe
Option '--csv' is required.
Description:
AppCompatCache Parser version 1.5.0.0
Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/AppCompatCacheParser
Examples: AppCompatCacheParser.exe --csv c:\temp -t -c 2
AppCompatCacheParser.exe --csv c:\temp --csvf results.csv
Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes
Usage:
AppCompatCacheParser [options]
Options:
-f : Full path to the SYSTEM hive to process. If not specified, the live registry will be used.
--csv (required): Directory to save CSV formatted results. Be sure to enclose the full path in double quotes.
--csvf : Filename to save CSV formatted results. If it exists, it will overwrite the default name.
--c : ControlSet to parse. Default is to extract all control sets [default: -1].
-t: Sort by last modified timestamp in descending order [default: False].
--dt : Custom date/time format to use when displaying timestamps. See https://goo.gl/CNVq0k for options [default: yyyy-MM-dd HH:mm:ss].
--nl: When true, ignore transaction log files for dirty hives [default: False].
--debug: Show debug information during processing [default: False].
--trace: Show trace information during processing [default: False].
--version: Show version information.
-?, -h, --help: Show help and usage information.
Then open the CSV with Timeline Explorer, which displays the information in a cleaner and more organized format than Excel, and sorts entries by timestamp.
We can find recently executed or browsed applications from File Explorer. If we know the time of an event, we can look for applications executed within that timeframe.
Forensic investigators can use Shimcache to determine which programs ran on the system, the exact timestamps of execution, and whether executable files existed (even if they were not executed). It stores information about executed applications even if the files themselves were deleted long ago. This is useful in various scenarios, including incident response, malware analysis, and digital forensics.
For example: Suppose there are 20 different executables in a directory. Opening the directory in File Explorer, but only 5 executables are visible because the File Explorer window is resized to a smaller scale. In this case, shimcache will save information about these 5 executables, even if they were not executed. If the Explorer window is maximized and all 20 files are visible, these 20 executables will be in the shimcache data. These files may have only been browsed in File Explorer.
Shimcache is a valuable forensic tool because it can prove the existence of files even if they have been deleted from the disk. Another value is that it stores the data we discussed above, whether it comes from the local system, a network share, or a USB device.
Amcache
The amcache hive is a hive on Windows systems that contains information about applications and programs that have been executed on the system. It is part of the Windows Application Compatibility Cache and stores information about programs that have run on the system to help them run more efficiently.
From a forensic perspective, amcache can be used to determine which programs have run on the system and their exact execution times. This information is useful for forensic investigators trying to determine suspect activity. It can also be used to identify the installation time of software on the system and the location of the installation files. This is useful for identifying unauthorized software installations or tracking software deployment within an organization. The amcache hive also stores data about executed applications from external devices/sources (such as network shares, USB devices, etc.).
Amcache contains key-value pairs that store application paths, file metadata (description, publisher name), timestamps (creation, modification, and deletion), and the SHA-1 hash of files. This hive is located at:
- C:\Windows\AppCompat\Programs\Amcache.hve
Differences Between Amcache and Shimcache
Compared to shimcache, Amcache can be considered more reliable evidence of execution. Amcache stores additional data, such as the first execution timestamp, deletion timestamp (if the file was deleted), the hash of the executable file, etc. It also stores the application publisherâs name, which can help us find suspicious and untrusted files, as they do not have any publisher name. While adding a publisher name when creating an executable is not difficult, most malware generators (like Metasploit, Empire) do not include any metadata when creating a stager.
In Windows 7 and earlier versions, amcache was named âRecentfileCacheâ and was located at:
Even if the file is deleted, the âInventoryApplicationFileâ key still stores detailed information about the executable files that ran on the system.
In the event of an incident response, we can try to find applications executed around the time of the incident. This allows us to exclude irrelevant data and focus only on relevant process information.
We can also view driver data from the following key:
This helps us discover malicious drivers acting as rootkits, etc. One advantage of this artifact is that it stores SHA-1 hashes, allowing us to quickly verify the reputation of files unless it is stealth malware.
However, if there is a large amount of data, analyzing it from the registry can be cumbersome. We can use another tool designed by Eric Zimmerman called AmcacheParser to generate a CSV file and then analyze it using Timeline Explorer.
AmcacheParser
C:\Users\Administrator\Downloads\AmcacheParser>AmcacheParser.exe
Option '-f' is required.
Option '--csv' is required.
Description:
AmcacheParser version 1.5.1.0
Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/AmcacheParser
Examples: AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" --csv C:\temp
AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" -i --csv C:\temp --csvf foo.csv
AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" -w "c:\temp\whitelist.txt" --csv C:\temp
Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes
Usage:
AmcacheParser [options]
Options:
-f (required) Amcache.hve file to parse
-i Include file entries for program entries [default: False]
-w File path containing SHA-1 hashes to exclude from results. Blacklist overrides whitelist
-b File path containing SHA-1 hashes to include in results. Blacklist overrides whitelist
--csv (required) Directory to save CSV formatted results. Be sure to enclose the full path in double quotes
--csvf Filename to save CSV formatted results. If present, overrides the default name
--dtCustom date/time format to use when displaying timestamps. For options, see https://goo.gl/CNVq0k [default: yyyy-MM-dd HH:mm:ss]
--mp Display higher precision timestamps [default: False]
--nl When true, ignore transaction log files for dirty hives. Default is FALSE [default: False]
--debug Display debug information during processing [default: False]
--trace Display trace information during processing [default: False]
--version Display version information
-?, -h, --help Display help and usage information
Note: Run CMD as an administrator.
We can specify a file containing SHA-1 hashes of known good applications. By using the -w option, we can exclude known good applications found in amcache and then analyze the remaining files. This can significantly reduce analysis time as forensic investigators do not need to waste time on normal applications.
We can also specify a file containing SHA-1 hashes of known malware. By using the -b option, we can find only the amcache results that match the malicious files, which can be very useful during an investigation. For example, if we are dealing with an Emotet malware variant attack, we can collect all SHA-1 hashes of Emotet variants found in the wild and match them here to see if they were successful.
AmcacheParser.exe -f "C:\Windows\appcompat\Programs\Amcache.hve" --csv . --csvf output.csv
We can see that multiple CSV files were generated, and we open the "amcache_UnassociatedFileEntries" file in the timeline explorer.
We can quickly search for the SHA-1 provided by amcache on threat intelligence sites like VT.
Recent Files
This is a feature in Windows that allows us to access recently used applications. When we open "File Explorer" or the "Start Menu," we can see some recently used files/applications.
This key stores the names of opened files/applications, shortcut files, and the last access time. Note that this file contains information about all files that are being opened/modified. It can be classified as access evidence rather than execution evidence.
If we change the file content or rename the file via the command line, it will populate this registry key. We did not execute the file but modified it, and it will be recorded in this dat file. We can use this dat file to establish interaction with the file and submit it as evidence.
We can see the target name (i.e., the file name), the Lnk name (i.e., the shortcut of the file we saw in âRecent Itemsâ), and the open time (i.e., the last access time).
From a forensic perspective, RecentDocs is very valuable for quickly viewing the files accessed by a specific user (internal threat/misconduct/attacker) within a specific time frame.
Dialog Box MRU
âDialog Box MRUâ is a record of file names, timestamps, and paths accessed or selected in Microsoft Windows OS dialog boxes. Whenever another dialog box is opened (for example, when uploading a file on a website), a dialog box appears in File Explorer to select the file to upload.
We can obtain important information about recent user activities on the system, including files and folders they accessed or modified file paths. This can help reconstruct user actions and provide information for other forensic investigations.
This information is stored in 2 keys in the NTUSER.DAT hive.
Whenever we need to open or load a file from another application, the system prompts us with a File Explorer window, and we select the file to load. The paths of opened/loaded/saved files are stored in this key. For example, we are uploading a Word document from Microsoft Word.
Now, when we select the file and click âOpen,â it will open in the Microsoft Word application. The file path of this document will be saved in the OpenSavePidlMRU key. Check if this document name exists in the opensave key. Open the key in RegistryExplorer.
Note: You may need to restart Registry Explorer and reload the hive to see the changes completed in real-time.
When we need to find out what types of applications a user loaded using other applications, the âOpenSavePidlMRUâ key is very useful. For example, if a user uploaded a file on a website, we can use this key to find out which file the user uploaded.
LastVisitedPidlMRU
LastVisitedPidlMRU tracks the executable files responsible for opening/saving files from the Windows Explorer prompts we discussed earlier. This key does not store the file name paths (like OpenSavePidlMRU) but stores the executable files used to open/save files and the paths of the folders where the files were opened/saved.
In the previous case example, the file name was âliutech.docx,â and the folder path where the file was saved was âC:\Administrator\â. We used Microsoft Word to open the document, so the executable name in this key should be âwinword.exe.â
This is the latest entry in this key, and the path and timestamp match our criteria. But the executable name is a GUID value. It turns out that this key sometimes does not record the correct data for certain applications. In this example, the executable should be winword.exe, which would tell us that a document was opened from this path.
We can use another example from the previous case to prove it. For instance, we used ida64.exe to open a file.
