Home AppCompatCacheParser
Post
Cancel

AppCompatCacheParser

Posted Oct 5, 2022 Updated Oct 17, 2022
By darkcybe
1 min read

Overview

AppCompatCacheParser is a command line tool developed by Eric Zimmerman, to process the ShimCache (AppCompatCache) on Windows operating systems, identifying items such as:

  • Executable filepaths
  • Timestamp of last execution

Results can output the hive entries files into .csv for further analysis. Further Information the ShimCache can be found on Darkcybe - Evidence of Execution

Tool NameVersionMITRE ATT&CK TacticMITRE ATT&CK Technique
AppCompatCacheParserV1.5Execution 

Instructions

Interesting Fields

  • Path: Full filepath of executable
  • LastModifiedTimeUTC: Timestamp in UTC of last modification
  • Executed: Execution flag (applications can be shimmed without being executed)

Parsing the ShimCache (AppCompatCache) on a Live System

1

appcompatcacheparser.exe --csvf %OUTPUT_FILENAME%.csv --csv %OUTPUT_DIRECTORY%

Parsing the ShimCache (AppCompatCache) from a Forensic Copy

1

appcompatcacheparser.exe -f /PATH/TO/SYSTEM hive --csvf %OUTPUT_FILENAME%.csv --csv %OUTPUT_DIRECTORY%

Output

AppCompatCacheParser - Live CSV

Sources

DFIR Tools, Program Execution
shimcache appcompatcache appcompatcacheparser ez tools execution (T0002)
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents