Windows Artifact Series || ShimCache
ShimCache, also known as AppCompatCache(Application Compatibility Cache)
Microsoft introduced the ShimCache in Windows 95 and it remains today a mechanism to ensure backward compatibility of older binaries into new versions of Microsoft operating systems. When new Microsoft operating systems are released some old and legacy application might break. To fix this Microsoft has the ShimCache which acts as a proxy layer between the old application and the new operating system
Let’s Check Forensic value of ShimCache Artifact
ShimCache data is stored under the SYSTEM registry hive.
HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCacheOn Windows 7 and above the ShimCache maintain up-to 1024 entries where as for Windows XP entries were maintained up-to 96.
ShimCache is a important artifact as it tracks and stores entries of binaries that was executed/browsed using windows explorer. Through ShimCache we can get information about binaries since the system was rebooted.
ShimCache will also record entries of binaries that were executed by command prompt (CMD)
Let’s dive into the PRACTICAL.
Tools to be used:
AppCompatCacheParser
Built by Eric Zimmerman, It is a command line application that allows for the examination of Windows ShimCache files.
Timeline Explorer
Built by Eric Zimmerman, to view CSV and Excel files, filter, group, sort, etc.
Practical — 1
Let’s run “AppCompatCacheParser.exe” with default options and just specifying output directory.
AppCompatCacheParser.exe --csv OUTPUT_PATH --csvf OUTPUT_FILE_NAME
Now let’s open test1.csv file using Timeline Explorer and see the output.
Let’s see last few entries
Let’s browser through few executable files using Windows Explorer to verify whether they get captured through ShimCache.
Reboot the machine to see the traces of executables browsed/executed.
After rebooting the system, again using same command we need to parse the ShimCache entries.
AppCompatCacheParser.exe --csv OUTPUT_PATH --csvf OUTPUT_FILE_NAME
Let’s open the test2.csv file using Timeline Explorer
As we can see in above screenshot, we have traces of “TEST EXE (*).exe” that we visited earlier. So one thing is clear that, ShimCache will store entries of binaries that is executed or browsed via Windows Explorer.
Let’s browse through more Executable files.
Reboot the machine to see the traces of executables browsed/executed.
After rebooting the system, again using same command we need to parse the ShimCache entries.
AppCompatCacheParser.exe --csv OUTPUT_PATH --csvf OUTPUT_FILE_NAME
Let’s open the test3.csv file using Timeline Explorer
By above screenshot, it’s clear that ShimCache records the entries of binaries that is either executed or browsed via Windows Explorer.
Now Question is : If we run executable from command prompt (CMD) then, will it be visible in ShimCache entries ?
Practical — 2
Step — 1 : Using command prompt (CMD) Copy “TEST_EXE (11).exe” to new location/folder and give it “testingexefile.exe” as name.
Step — 2 : Using command prompt (CMD) run “testingexefile.exe”
Step — 3: Reboot the machine to see the traces of executables executed via command prompt.
Step — 4: After rebooting the system, again using same command we need to parse the ShimCache entries.
AppCompatCacheParser.exe --csv OUTPUT_PATH --csvf OUTPUT_FILE_NAME
Step — 5: Let’s open the test7.csv file using Timeline Explorer
By the above screenshot, we can see traces of “testingexefile.exe” that was executed earlier via command prompt. ShimCache will also store entries of binaries that is executed via Command Prompt.
Conclusion :
ShimCache is a valuable source of artifact which records traces of executables that are present on the system. We can relay on ShimCache for existence of the binaries although we can not comment on the execution part.
ShimCache will store entries of binaries that is executed or browsed via Windows Explorer and it will also capture entries of binaries that are executed via command prompt (CMD).
References:
