How often has the following happened to you? You want to run a program, but it’s not designed to run on this version of OS. Windows has a mechanism to run older programs on newer systems. Even when these “compatibility” adjustments are not required, Windows still logs the information for all the programs run.
β οΈ Anatomy
Shows the date and time that an executable was last modified.
π Path: SYSTEM hive
π SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache (Windows Vista +)
π SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility\AppCompatCache (Windows XP) - 96 entries only.
π Tools: ShimCacheParser.py (requires Python2), AppCompatCacheParser
Windows 7+ 1024 entries, Server 2003 - 512 only π. βοΈ No execution flag for Windows 10!
Originally was used to identify compatibility issues between 32 and 64-bit progs. It might not be reliable evidence that the program was executed or even installed, but if it was installed and deleted - it won’t be deleted from here. ShimCache is another name for this artefact. Uses file system timestamps. A new entry will be created if the executable is modified or renamed, but the modified date and time will be the same for both files even after these actions occur. \$UsnJrnl is another place to make sure that is what happened \$Logfile.
ShimCache tracks the following fields of interest:
πΎ App name πΎ File path πΎ Size (Windows XP only) πΎ Last modified time
When exported as is, in binary format, this key looks like this:
βοΈ During system operation, ShimCache updates are stored in RAM and written at shutdown or reboot (for Win10+)! So, ShimCache is lost if the PC is unplugged. βοΈ Doesnβt track the file execution for Win7+ systems. βοΈ Only logs some file extensions. βοΈ Recent events are written on top (helps given that no execution times are provided). βοΈ If a program gets modified, rewritten or renamed - it’s shimmed again. βοΈ If the last modified time differs from the filesystem time -> time modification occurred. βοΈ On Vista+, ShimCache is not evidence of execution. Vista, W7 and W8 had
InsertFlagthat, when set to true, indicated that the program was run. βοΈ Several ShimCache for each ControlSet (the most recent info is in πSYSTEM\CurrentControlSet)
β° Timestamps
Shows the date and time that an executable was last modified. Last time of execution or activity, based on the interpretation of the time-based data. LastUpdateTime is updated when the files are executed on Win XP. LastUpdateTime does not exist on Win7- 10 systems.
π οΈ Tools
π οΈ AppCompatCacheParser (Eric Zimmerman, Win7+) and π οΈ ShimCacheParser.py (Mandiant).
π .\AppCompatCacheParser.exe -f .\SYSTEM --csv C:\temp
π ShimCacheParser # MANDIANT
βπ» Note that
ShimCacheParser.pycan also parse.regfiles (good for scaling).