Amcache.hve and the Shimcache (AppCompatCache) are Windows compatibility subsystem artefacts that serve as forensic goldmines. Both are frequently present on compromised hosts long after attackers have cleaned up because they are not obviously
security-relevant artefacts — most cleanup scripts and attacker playbooks do not target them.
Shimcache — registry location and structure
The Shimcache is stored in the SYSTEM hive:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache Value: AppCompatCache (REG_BINARY)
The binary data contains a series of records. Each record stores:
- Full file path
- Last modified time (from the file system $STANDARD_INFORMATION attribute)
- File size
- Shimcache entry insert time (not available on all Windows versions)
- Execution flag (Windows XP/2003 only — later versions removed this)
Critical note: From Windows Vista onwards, Shimcache records file presence (the file existed and was parsed by the compatibility layer) but does NOT confirm execution. A file dropped to disk but never run will still appear.
Parsing with AppCompatCacheParser
# Extract SYSTEM hive from live system or forensic image # Live system (admin required): reg save HKLM\SYSTEM C:\Temp\SYSTEM.hive /y # From forensic image: cp /mnt/image/Windows/System32/config/SYSTEM /tmp/ # Parse with AppCompatCacheParser (Eric Zimmermann toolkit) AppCompatCacheParser.exe -f SYSTEM.hive --csv C:\Output\ # Or on Linux with regipy: pip install regipy registry-explorer SYSTEM -p "ControlSet001\Control\Session Manager\AppCompatCache"
Sample output (CSV columns):
ControlSet,CacheEntryPosition,Path,LastModifiedTimeUTC,Executed,Duplicate,SourceFile 1,0,C:\Windows\System32\svchost.exe,2023-09-18 20:14:33,Yes,,SYSTEM.hive 1,1,C:\Users\victim\AppData\Roaming\Microsoft\svchost.exe,2023-09-18 23:22:41,No,,SYSTEM.hive
Entry at position 1 is suspicious: a file named svchost.exe in a user’s AppData directory (svchost.exe is only legitimate in System32), present at 23:22:41 — within the incident window.
Amcache — location and structure
Amcache.hve is a separate registry hive at:
C:\Windows\AppCompat\Programs\Amcache.hve
Unlike Shimcache, Amcache does record execution events. Key registry keys within the hive:
Root\InventoryApplicationFile\ - installed application files
Root\Programs\ - program installations
Root\File\{volume_guid}\ - individual file execution records
Each file execution record contains:
- Full path
- SHA1 hash
- File size and compile timestamp
- Publisher from PE certificate or version resource
- First execution time (linked time)
Parsing with AmcacheParser
AmcacheParser.exe -f Amcache.hve --csv C:\Output\ # Key output file: Amcache_UnassociatedFileEntries.csv # This contains file executions not tied to an installed application
Pivoting on the SHA1 hash is the most valuable capability:
# Check a hash from Amcache against VirusTotal curl -s "https://www.virustotal.com/api/v3/files/<SHA1>" \ -H "x-apikey: <your_key>" \ | python3 -m json.tool | grep "malicious\|suspicious"
Practical investigation workflow
Given a known incident window (e.g. 23:00-01:00 on 2023-09-18), filter both artefacts to that window:
python3 << EOF
import csv
from datetime import datetime
incident_start = datetime(2023, 9, 18, 23, 0, 0)
incident_end = datetime(2023, 9, 19, 1, 0, 0)
with open("AppCompatCache.csv") as f:
reader = csv.DictReader(f)
for row in reader:
try:
ts = datetime.strptime(row["LastModifiedTimeUTC"], "%Y-%m-%d %H:%M:%S")
if incident_start <= ts <= incident_end:
path = row["Path"]
# Flag anything outside of Windows and Program Files directories
if not any(path.startswith(p) for p in [
"C:\Windows\", "C:\Program Files"
]):
print(f"[SHIMCACHE] {ts} {path}")
except:
pass
EOF
This surfaces attacker tools that ran from unusual paths (Desktop, Temp, AppData, Downloads) within the incident window, even if the files themselves have been deleted.