Back to binalyze.com

AppCompatCache

Overview

Evidence: AppCompatCache Description: Enumerate AppCompatCache (aka ShimCache) Category: Registry Platform: Windows Short Name: appcc Is Parsed: Yes - Binary cache data parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

The Application Compatibility Cache (also known as Shimcache) tracks metadata about executable files to improve application compatibility. Windows records information about executables when they are run, and this data persists across reboots.

AppCompatCache can provide evidence of program execution and file presence, including programs that may have been deleted. The cache is stored in the registry and contains up to 1024 entries (varies by Windows version).

Data Collected

Field
Description
Example

KeyPath

Registry key path

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

EntryName

Control set name

CurrentControlSet

Position

Position in cache

0

File information columns for the executable path

CachedFileSize

File size recorded in cache

1048576

CachedFileModified

Modification time in cache

2023-10-15T14:30:00

Executed

Whether file was executed (varies by OS version)

TRUE

Collection Method

This collector:

  • Searches registry for AppCompatCache locations:

    • HKLM\SYSTEM\ControlSet00*\Control\Session Manager\AppCompatibility

    • HKLM\SYSTEM\ControlSet00*\Control\Session Manager\AppCompatCache

  • Reads the AppCompatCache binary registry value

  • Parses the cache data format (varies by Windows version)

  • Extracts file paths, timestamps, and execution flags

  • Normalizes file paths to full paths

Usage

AppCompatCache is critical for establishing program execution and file presence. Investigators use this data to identify executed programs (even if deleted), establish execution timelines, detect malware execution, identify reconnaissance tools, track lateral movement utilities, detect portable executable usage, and correlate with other execution artifacts.

Known Limitations

  • Cache size limited (typically 1024 entries)

  • Older entries purged when cache fills

  • Format varies significantly across Windows versions

  • Execution flag only reliable on certain Windows versions

  • Cache written to disk at shutdown (may be incomplete on running system)

  • Presence in cache doesn't always guarantee execution

Notes

On Windows 7 and earlier, the execution flag is reliable. On Windows 8+, the execution flag was removed and presence in cache only indicates the file was present in the file system. Always correlate with prefetch, Amcache, and other execution artifacts.

PreviousAntivirus InformationNextAppPaths

Last updated

Was this helpful?