Shim Database

Overview

Evidence: Shim Database Description: Collect Shim Database Category: Other Evidence Platform: Windows Short Name: sdb Is Parsed: No - Raw SDB files Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows Application Compatibility infrastructure uses shim databases (.sdb files) to apply compatibility fixes to applications. Custom shim databases can be created to modify application behavior, redirect file access, inject DLLs, and perform other compatibility fixes.

Attackers have abused shim databases as a persistence mechanism and to inject malicious code into legitimate processes (similar to DLL search order hijacking).

Data Collected

Field

Description

Example

Name

Artifact name

SDB

Type

File

SourcePath

Original file path

C:\Windows\AppPatch\Custom\malicious.sdb

Path

Relative path in evidence

Other/malicious.sdb

Collection Method

This collector collects shim database files from:

Windows\apppatch\Custom\*.sdb - Custom 32-bit shim databases
Windows\apppatch\Custom\Custom64\*.sdb - Custom 64-bit shim databases
Windows\apppatch\*.sdb - System shim databases

Usage

Shim databases can reveal application compatibility fixes and potential abuse for persistence or code injection. Investigators use this data to detect malicious shim persistence (MITRE T1546.011), identify DLL injection via shims, track custom compatibility fixes, and detect application behavior modifications.

Known Limitations

SDB file format is proprietary
Parsing requires specialized tools
Custom shims may be rare on typical systems
Presence doesn't always indicate malicious use

Notes

Custom SDB files in the AppPatch\Custom directories should be carefully examined as they may indicate persistence or code injection attempts. Use tools like sdb-explorer or Windows SDK sdbinst to analyze SDB files.

PreviousShellFolders NextStartup Items

Last updated 48 minutes ago

Was this helpful?