AppCompatCache
Overview
Evidence: AppCompactCache Description: Enumarate AppCompatCache (aka ShimCache) Category: System Platform: windows Short Name: appcc Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
The Application Compatibility Cache (also known as Shimcache) tracks metadata about executable files to improve application compatibility. Windows records information about executables when they are run, and this data persists across reboots.
AppCompatCache can provide evidence of program execution and file presence, including programs that may have been deleted. The cache is stored in the registry and contains up to 1024 entries (varies by Windows version).
Data Collected
This collector gathers structured data about appcompactcache.
AppCompactCache Data
KeyPath
Registry key path
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
EntryName
Control set name
CurrentControlSet
Position
Position in cache
0
CachedFileSize
File size recorded in cache
1048576
CachedFileModified
Modification time in cache
2023-10-15T14:30:00
Executed
Whether file was executed (varies by OS version)
TRUE
Collection Method
This collector:
Searches registry for AppCompatCache locations:
HKLM\SYSTEM\ControlSet00*\Control\Session Manager\AppCompatibilityHKLM\SYSTEM\ControlSet00*\Control\Session Manager\AppCompatCache
Reads the
AppCompatCachebinary registry valueParses the cache data format (varies by Windows version)
Extracts file paths, timestamps, and execution flags
Normalizes file paths to full paths
Forensic Value
AppCompatCache is critical for establishing program execution and file presence. Investigators use this data to identify executed programs (even if deleted), establish execution timelines, detect malware execution, identify reconnaissance tools, track lateral movement utilities, detect portable executable usage, and correlate with other execution artifacts.
Last updated
Was this helpful?

