Amcache.hve and the Shimcache (AppCompatCache) are Windows compatibility subsystem artefacts that serve as forensic goldmines. Both are frequently present on compromised hosts long after attackers have cleaned up because they are not obviously
\nsecurity-relevant artefacts \u2014 most cleanup scripts and attacker playbooks do not target them.<\/p>\n
The Shimcache is stored in the SYSTEM hive:<\/p>\n
HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache\nValue: AppCompatCache (REG_BINARY)<\/pre>\nThe binary data contains a series of records. Each record stores:<\/p>\n
Critical note:<\/strong> From Windows Vista onwards, Shimcache records file presence (the file existed and was parsed by the compatibility layer) but does NOT confirm execution. A file dropped to disk but never run will still appear.<\/p>\n Sample output (CSV columns):<\/p>\n Entry at position 1 is suspicious: a file named svchost.exe in a user’s AppData directory (svchost.exe is only legitimate in System32), present at 23:22:41 \u2014 within the incident window.<\/p>\n Amcache.hve is a separate registry hive at:<\/p>\n Unlike Shimcache, Amcache does record execution events. Key registry keys within the hive:<\/p>\n Each file execution record contains:<\/p>\n Pivoting on the SHA1 hash is the most valuable capability:<\/p>\n Given a known incident window (e.g. 23:00-01:00 on 2023-09-18), filter both artefacts to that window:<\/p>\n This surfaces attacker tools that ran from unusual paths (Desktop, Temp, AppData, Downloads) within the incident window, even if the files themselves have been deleted.<\/p>\n","protected":false},"excerpt":{"rendered":" Two Windows artefacts that consistently come up inParsing with AppCompatCacheParser<\/h3>\n
# Extract SYSTEM hive from live system or forensic image\n# Live system (admin required):\nreg save HKLM\\SYSTEM C:\\Temp\\SYSTEM.hive \/y\n\n# From forensic image:\ncp \/mnt\/image\/Windows\/System32\/config\/SYSTEM \/tmp\/\n\n# Parse with AppCompatCacheParser (Eric Zimmermann toolkit)\nAppCompatCacheParser.exe -f SYSTEM.hive --csv C:\\Output\\\n\n# Or on Linux with regipy:\npip install regipy\nregistry-explorer SYSTEM -p \"ControlSet001\\Control\\Session Manager\\AppCompatCache\"<\/pre>\n
ControlSet,CacheEntryPosition,Path,LastModifiedTimeUTC,Executed,Duplicate,SourceFile\n1,0,C:\\Windows\\System32\\svchost.exe,2023-09-18 20:14:33,Yes,,SYSTEM.hive\n1,1,C:\\Users\\victim\\AppData\\Roaming\\Microsoft\\svchost.exe,2023-09-18 23:22:41,No,,SYSTEM.hive<\/pre>\n
Amcache \u2014 location and structure<\/h3>\n
C:\\Windows\\AppCompat\\Programs\\Amcache.hve<\/pre>\n
Root\\InventoryApplicationFile\\ - installed application files\nRoot\\Programs\\ - program installations\nRoot\\File\\{volume_guid}\\ - individual file execution records<\/pre>\n\n
Parsing with AmcacheParser<\/h3>\n
AmcacheParser.exe -f Amcache.hve --csv C:\\Output\\\n\n# Key output file: Amcache_UnassociatedFileEntries.csv\n# This contains file executions not tied to an installed application<\/pre>\n
# Check a hash from Amcache against VirusTotal\ncurl -s \"https:\/\/www.virustotal.com\/api\/v3\/files\/<SHA1>\" \\\n -H \"x-apikey: <your_key>\" \\\n | python3 -m json.tool | grep \"malicious\\|suspicious\"<\/pre>\n
Practical investigation workflow<\/h3>\n
python3 << EOF\nimport csv\nfrom datetime import datetime\n\nincident_start = datetime(2023, 9, 18, 23, 0, 0)\nincident_end = datetime(2023, 9, 19, 1, 0, 0)\n\nwith open("AppCompatCache.csv") as f:\n reader = csv.DictReader(f)\n for row in reader:\n try:\n ts = datetime.strptime(row["LastModifiedTimeUTC"], "%Y-%m-%d %H:%M:%S")\n if incident_start <= ts <= incident_end:\n path = row["Path"]\n # Flag anything outside of Windows and Program Files directories\n if not any(path.startswith(p) for p in [\n "C:\\Windows\\", "C:\\Program Files"\n ]):\n print(f"[SHIMCACHE] {ts} {path}")\n except:\n pass\nEOF<\/pre>\n
\ninvestigations because attackers rarely think to clear them.<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-195","post","type-post","status-publish","format-standard","hentry","category-dfir"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/195","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=195"}],"version-history":[{"count":2,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/195\/revisions"}],"predecessor-version":[{"id":237,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/195\/revisions\/237"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=195"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}