AppCompactCache

Overview

Evidence: AppCompactCache
Description: Enumarate AppCompatCache (aka ShimCache)
Category: System
Platform: windows
Short Name: appcc
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

The Application Compatibility Cache (also known as Shimcache) tracks metadata about executable files to improve application compatibility. Windows records information about executables when they are run, and this data persists across reboots.

AppCompatCache can provide evidence of program execution and file presence, including programs that may have been deleted. The cache is stored in the registry and contains up to 1024 entries (varies by Windows version).

Data Collected

This collector gathers structured data about appcompactcache.

AppCompactCache Data

Field	Description	Example
KeyPath	Registry key path	HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
EntryName	Control set name	CurrentControlSet
Position	Position in cache	0
CachedFileSize	File size recorded in cache	1048576
CachedFileModified	Modification time in cache	2023-10-15T14:30:00
Executed	Whether file was executed (varies by OS version)	TRUE

Collection Method

This collector:

• Searches registry for AppCompatCache locations:
  • HKLM\SYSTEM\ControlSet00*\Control\Session Manager\AppCompatibility
  • HKLM\SYSTEM\ControlSet00*\Control\Session Manager\AppCompatCache
• Reads the AppCompatCache binary registry value
• Parses the cache data format (varies by Windows version)
• Extracts file paths, timestamps, and execution flags
• Normalizes file paths to full paths

Forensic Value

AppCompatCache is critical for establishing program execution and file presence. Investigators use this data to identify executed programs (even if deleted), establish execution timelines, detect malware execution, identify reconnaissance tools, track lateral movement utilities, detect portable executable usage, and correlate with other execution artifacts.