# Shim Database

## Overview

**Evidence:** SDB\
**Description:** Collect SDB\
**Category:** System\
**Platform:** windows\
**Short Name:** sdb\
**Is Parsed:** No\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** Yes

## Background

Windows Application Compatibility infrastructure uses shim databases (.sdb files) to apply compatibility fixes to applications. Custom shim databases can be created to modify application behavior, redirect file access, inject DLLs, and perform other compatibility fixes.

Attackers have abused shim databases as a persistence mechanism and to inject malicious code into legitimate processes (similar to DLL search order hijacking).

## Data Collected

This collector gathers structured data about sdb.

### SDB Data

| Field        | Description               | Example                                  |
| ------------ | ------------------------- | ---------------------------------------- |
| `Name`       | Artifact name             | SDB                                      |
| `Type`       | File                      | File                                     |
| `SourcePath` | Original file path        | C:\Windows\AppPatch\Custom\malicious.sdb |
| `Path`       | Relative path in evidence | Other/malicious.sdb                      |

## Collection Method

This collector collects shim database files from:

* `Windows\apppatch\Custom\*.sdb` - Custom 32-bit shim databases
* `Windows\apppatch\Custom\Custom64\*.sdb` - Custom 64-bit shim databases
* `Windows\apppatch\*.sdb` - System shim databases

## Forensic Value

Shim databases can reveal application compatibility fixes and potential abuse for persistence or code injection. Investigators use this data to detect malicious shim persistence (MITRE T1546.011), identify DLL injection via shims, track custom compatibility fixes, and detect application behavior modifications.