Shim Database

Overview

Evidence: SDB Description: Collect SDB Category: System Platform: windows Short Name: sdb Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

Windows Application Compatibility infrastructure uses shim databases (.sdb files) to apply compatibility fixes to applications. Custom shim databases can be created to modify application behavior, redirect file access, inject DLLs, and perform other compatibility fixes.

Attackers have abused shim databases as a persistence mechanism and to inject malicious code into legitimate processes (similar to DLL search order hijacking).

Data Collected

This collector gathers structured data about sdb.

SDB Data

Field

Description

Example

Name

Artifact name

SDB

Type

File

SourcePath

Original file path

C:\Windows\AppPatch\Custom\malicious.sdb

Path

Relative path in evidence

Other/malicious.sdb

Collection Method

This collector collects shim database files from:

Windows\apppatch\Custom\*.sdb - Custom 32-bit shim databases
Windows\apppatch\Custom\Custom64\*.sdb - Custom 64-bit shim databases
Windows\apppatch\*.sdb - System shim databases

Forensic Value

Shim databases can reveal application compatibility fixes and potential abuse for persistence or code injection. Investigators use this data to detect malicious shim persistence (MITRE T1546.011), identify DLL injection via shims, track custom compatibility fixes, and detect application behavior modifications.

PreviousShellFolders NextSkype Databases

Last updated 3 days ago

Was this helpful?