Amcache.hve and the Shimcache are Windows compatibility subsystem artefacts that consistently surface attacker tool execution during investigations. Attackers rarely think to clear them because they are not obviously security-relevant, and most automated cleanup scripts only target the locations that are written about in red team playbooks. These artefacts can place an attacker tool at a specific location at a specific time even after the file itself has been deleted.<\/p>\n
The Shimcache (AppCompatCache) and Amcache serve different purposes and have different forensic value. Understanding the distinction is important because confusing them leads to incorrect conclusions in investigations.<\/p>\n
\/\/ SHIMCACHE:\n\/\/ Registry location: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache\n\/\/ What it records: file PRESENCE (not execution, from Vista onwards)\n\/\/ Why it exists: application compatibility layer caching\n\/\/ Key fields: file path, last modified timestamp\n\/\/ Coverage: every executable touched by the filesystem, even if not run\n\/\/ Forensic value: proves a file existed on this system at this path\n\/\/ even if the file was deleted\n\/\/ DOES NOT prove the file executed (Vista and later)\n\n\/\/ AMCACHE:\n\/\/ Registry location (as a hive): C:\\Windows\\AppCompat\\Programs\\Amcache.hve\n\/\/ What it records: file EXECUTION (actual program runs)\n\/\/ Why it exists: application compatibility and telemetry\n\/\/ Key fields: file path, SHA1 hash, compile timestamp, publisher, first execution time\n\/\/ Coverage: programs that actually ran on the system\n\/\/ Forensic value: proves a file executed + provides hash for identification\n\/\/ even if the file was deleted\n\/\/ SHA1 hash survives renaming and can identify malware<\/pre>\nShimcache: parsing and analysis<\/h3>\n
\/\/ Extract the SYSTEM hive from a live system\nreg save HKLM\\SYSTEM C:\\ir\\SYSTEM.hive \/y\n\n\/\/ Extract from a forensic image\n\/\/ Mount the image first, then copy:\ncp \/mnt\/image\/Windows\/System32\/config\/SYSTEM \/tmp\/SYSTEM.hive\n\n\/\/ Parse with AppCompatCacheParser (Eric Zimmermann toolkit)\n\/\/ Download: https:\/\/ericzimmerman.github.io\/\n\nAppCompatCacheParser.exe -f SYSTEM.hive --csv C:\\ir\\ --csvf shimcache.csv\n\n\/\/ Sample output fields:\n\/\/ ControlSet, CacheEntryPosition, Path, LastModifiedTimeUTC, Executed, Duplicate\n\n\/\/ Key analysis: find executables in unusual locations\npython3 << EOF\nimport csv\nfrom datetime import datetime\n\nsuspicious_paths = []\nwith open("shimcache.csv") as f:\n for row in csv.DictReader(f):\n path = row.get("Path", "")\n # Flag executables outside of standard Windows locations\n if path and not any(path.startswith(p) for p in [\n "C:\\\\Windows\\\\", "C:\\\\Program Files", "C:\\\\Program Files (x86)"\n ]):\n suspicious_paths.append({\n "path": path,\n "modified": row.get("LastModifiedTimeUTC", ""),\n "position": row.get("CacheEntryPosition", "")\n })\n\nsuspicious_paths.sort(key=lambda x: x["modified"], reverse=True)\nfor entry in suspicious_paths[:50]:\n print(f"[{entry['position']:4s}] {entry['modified']} {entry['path']}")\nEOF<\/pre>\nAmcache: parsing and analysis<\/h3>\n
\/\/ The Amcache hive cannot be copied while the system is running\n\/\/ Option 1: Copy via reg save (may not work for Amcache specifically)\n\/\/ Option 2: Use a shadow copy or VSS snapshot\n\/\/ Option 3: Extract from a forensic image\n\n\/\/ Parse with AmcacheParser (Eric Zimmermann toolkit)\nAmcacheParser.exe -f Amcache.hve --csv C:\\ir\\ --csvf amcache.csv\n\n\/\/ This produces multiple CSV files:\n\/\/ amcache_UnassociatedFileEntries.csv - programs that ran without being installed\n\/\/ amcache_ProgramEntries.csv - installed applications\n\/\/ amcache_DriverBinaries.csv - driver files\n\n\/\/ The UnassociatedFileEntries is most interesting for IR\n\/\/ It contains executables that ran but were never formally installed\n\npython3 << EOF\nimport csv, hashlib, subprocess\n\nprint("Checking Amcache SHA1 hashes against VirusTotal...")\nprint("(Rate limit: 4 requests\/minute for free tier)")\nprint()\n\nwith open("amcache_UnassociatedFileEntries.csv") as f:\n for row in csv.DictReader(f):\n sha1 = row.get("SHA1", "")\n path = row.get("FullPath", "")\n first_run = row.get("FileKeyLastWriteTimestamp", "")\n\n if not sha1:\n continue\n\n # Flag executables from unusual locations\n if not any(path.startswith(p) for p in [\n "c:\\\\windows\\\\", "c:\\\\program files"\n ]):\n print(f"UNUSUAL PATH: {path}")\n print(f" First execution: {first_run}")\n print(f" SHA1: {sha1}")\n print(f" VT check: https:\/\/www.virustotal.com\/gui\/file\/{sha1}")\n print()\nEOF<\/pre>\nTimeline correlation between both artefacts<\/h3>\n
\/\/ Build a unified execution timeline from both sources\npython3 << EOF\nimport csv\nfrom datetime import datetime\n\nevents = []\n\n# Load Shimcache entries\ntry:\n with open("shimcache.csv") as f:\n for row in csv.DictReader(f):\n path = row.get("Path", "")\n ts_str = row.get("LastModifiedTimeUTC", "")\n if path and ts_str:\n try:\n ts = datetime.strptime(ts_str, "%Y-%m-%d %H:%M:%S")\n events.append({\n "source": "SHIMCACHE",\n "time": ts,\n "path": path,\n "detail": f"File modified\/touched"\n })\n except:\n pass\nexcept FileNotFoundError:\n print("shimcache.csv not found")\n\n# Load Amcache entries\ntry:\n with open("amcache_UnassociatedFileEntries.csv") as f:\n for row in csv.DictReader(f):\n path = row.get("FullPath", "")\n ts_str = row.get("FileKeyLastWriteTimestamp", "")\n sha1 = row.get("SHA1", "")\n if path and ts_str:\n try:\n ts = datetime.strptime(ts_str, "%Y-%m-%d %H:%M:%S")\n events.append({\n "source": "AMCACHE",\n "time": ts,\n "path": path,\n "detail": f"SHA1={sha1}"\n })\n except:\n pass\nexcept FileNotFoundError:\n print("amcache_UnassociatedFileEntries.csv not found")\n\n# Define incident window\nincident_start = datetime(2023, 9, 18, 22, 0, 0)\nincident_end = datetime(2023, 9, 19, 2, 0, 0)\n\n# Filter and sort by time\nwindow_events = [e for e in events if incident_start <= e["time"] <= incident_end]\nwindow_events.sort(key=lambda x: x["time"])\n\nprint(f"Events in incident window ({incident_start} to {incident_end}):")\nprint()\nfor e in window_events:\n # Highlight executables from suspicious locations\n suspicious = not any(e["path"].startswith(p) for p in [\n "C:\\\\Windows\\\\", "c:\\\\windows\\\\",\n "C:\\\\Program Files", "c:\\\\program files"\n ])\n flag = " <<< SUSPICIOUS LOCATION" if suspicious else ""\n print(f"[{e['source']:10s}] {e['time']} {e['path']}{flag}")\n if e["detail"]:\n print(f" {e['detail']}")\nEOF<\/pre>\nPractical investigation example<\/h3>\n
\/\/ Scenario: Attacker ran Mimikatz from C:\\Users\\Public\\ and deleted it\n\/\/ How to find it:\n\n\/\/ 1. Shimcache shows the file existed (even if deleted)\ngrep -i \"mimikatz\\|mimi\" shimcache.csv\n\/\/ Returns: C:\\Users\\Public\\m.exe (possibly renamed, check the hash)\n\n\/\/ 2. Amcache shows the file ran and provides the hash\ngrep -i \"Users\\\\\\\\Public\" amcache_UnassociatedFileEntries.csv\n\/\/ Returns: C:\\Users\\Public\\m.exe SHA1=abc123...\n\/\/ Check SHA1 on VirusTotal: \"Win64\/Mimikatz.A detected by 68\/72 vendors\"\n\n\/\/ 3. Prefetch confirms the exact run times\nGet-ChildItem C:\\Windows\\Prefetch\\*.pf | Where-Object {$_.Name -match \"^M\\.EXE\"}\n\/\/ M.EXE-3A27C2B8.pf LastWriteTime: 2023-09-18 23:28:44\n\n\/\/ The attacker deleted m.exe but the trail is still there across three artefacts\n\/\/ Shimcache proves it existed at that path\n\/\/ Amcache proves it ran and provides the hash that identifies it\n\/\/ Prefetch gives the exact execution timestamp and referenced files<\/pre>\n","protected":false},"excerpt":{"rendered":"Two Windows artefacts that consistently come up in
\ninvestigations because attackers rarely think to clear them.<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-195","post","type-post","status-publish","format-standard","hentry","category-dfir"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/195","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=195"}],"version-history":[{"count":4,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/195\/revisions"}],"predecessor-version":[{"id":284,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/195\/revisions\/284"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=195"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}