Shimcache (AppCompatCache)
What is Shimcache (AppCompatCache)?
Shimcache (AppCompatCache)A Windows registry value that tracks executable metadata for application-compatibility checks; historically used as execution evidence, with important interpretation caveats.
Shimcache, formally the Application Compatibility Cache (AppCompatCache), is stored in the SYSTEM hive at ControlSet###\Control\Session Manager\AppCompatCache. It logs file path, size, and last-modified timestamp for executables the AppCompat subsystem evaluated, plus on some Windows versions an execution flag. The cache is written to disk only at shutdown, so live extraction can miss recent entries, and an entry alone does not always mean the binary ran: even browsing to a folder in Explorer can register an item on older Windows builds. On modern systems Amcache is more authoritative, but Shimcache remains valuable for legacy hosts and as corroborating evidence. AppCompatCacheParser is the standard tool.
● Examples
- 01
Confirming execution of an attacker tool on a Windows Server 2012 R2 host where Amcache is sparse.
- 02
Spotting a malicious binary that was placed in C:\PerfLogs\ even though it was deleted before shutdown.
● Frequently asked questions
What is Shimcache (AppCompatCache)?
A Windows registry value that tracks executable metadata for application-compatibility checks; historically used as execution evidence, with important interpretation caveats. It belongs to the Forensics & IR category of cybersecurity.
What does Shimcache (AppCompatCache) mean?
A Windows registry value that tracks executable metadata for application-compatibility checks; historically used as execution evidence, with important interpretation caveats.
How does Shimcache (AppCompatCache) work?
Shimcache, formally the Application Compatibility Cache (AppCompatCache), is stored in the SYSTEM hive at ControlSet###\Control\Session Manager\AppCompatCache. It logs file path, size, and last-modified timestamp for executables the AppCompat subsystem evaluated, plus on some Windows versions an execution flag. The cache is written to disk only at shutdown, so live extraction can miss recent entries, and an entry alone does not always mean the binary ran: even browsing to a folder in Explorer can register an item on older Windows builds. On modern systems Amcache is more authoritative, but Shimcache remains valuable for legacy hosts and as corroborating evidence. AppCompatCacheParser is the standard tool.
How do you defend against Shimcache (AppCompatCache)?
Defences for Shimcache (AppCompatCache) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Shimcache (AppCompatCache)?
Common alternative names include: AppCompatCache, AppCompat Cache.
● Related terms
- forensics-ir№ 043
Amcache.hve
A Windows registry hive that records detailed metadata about every executable that has run or been present on a system, including SHA-1 hashes, providing strong execution evidence on modern Windows.
- forensics-ir№ 850
Prefetch Files
Windows .pf files in C:\Windows\Prefetch that record process startup data and provide strong forensic evidence that an executable ran on a system.
- forensics-ir№ 677
MFT (Master File Table)
The core NTFS metadata structure that stores one 1024-byte record per file or directory on a volume, anchoring nearly all Windows file-system forensics.
- forensics-ir№ 001
$UsnJrnl ($J)
The NTFS Update Sequence Number change journal that records every file-system operation, giving forensic investigators a high-resolution timeline of file creation, modification, and deletion.
- forensics-ir№ 568
Jump Lists
Per-application history files keyed by Windows AppID that record the recent files and tasks a user opened, providing strong evidence of file access tied to a specific program.