shimcache (appcompatcache)

Definition

Shimcache, also known as AppCompatCache, is a Windows registry-based artifact that stores metadata about executables observed by the system. It is part of the Windows Application Compatibility framework, designed to track files for compatibility shimming.

The critical distinction: **Shimcache indicates file presence and system interaction, not reliable execution.** It shows that a file was encountered and processed by the OS, but not necessarily run.

The data is stored in the SYSTEM hive at: `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`

### **Data Stored in Shimcache**

- Full file path of the executable
- File size
- Last modified timestamp (from file metadata, not execution time)
- Execution flag (available only on certain Windows versions)

### Limitations

- Does not reliably confirm execution
- Lacks execution timestamps entirely
- Last modified timestamp is not an execution indicator
- Data is written at shutdown — recent activity may be missing

- Additional OS-dependent metadata fields
### **Why It Matters**

Shimcache provides **residual evidence of executables** that may no longer exist on disk.

- **Confirms file presence post-deletion** — useful when attackers clean up tools
- **Supports execution hypotheses** — especially when aligned with Prefetch or logs
- **Helps identify attacker tooling paths** — unusual directories often stand out
- **Useful on systems without Prefetch** — fills gaps in execution visibility

shimcache (appcompatcache)

Definition

Related Terms

Examples & Use Cases