Following on from the previous [DFIR TOOLS] posts.
- [DFIR TOOLS] Timeline Explorer, what is it & how to use!
- [DFIR TOOLS] AmcacheParser, what is it & how to use
This time I will speak about AppCompatCacheParser again from the Eric Zimmerman suite.
We will start with Erics description on its purpose:-
AppCompatCache aka ShimCache parser. Handles locked files.
Ok, so AppCompatCacheParser is a command line application that allows for the examination of Windows ShellCache files called AppCompatCache.

What is Shimcache, also known as AppCompatCache?
Shimcache, also known as AppCompatCache, is a component of the Application Compatibility Database, which was created by Microsoft and used by the Windows operating system to identify application compatibility issues. This helps developers troubleshoot legacy functions and contains data related to Windows features. It is used for quick search to decide whether modules need shimming for compatibility or not.
A Shim is a small library that transparently handles the applications interworking’s to provide support for older APIs in a newer environment or vice-versa. Shims allow backwards and forwards compatibility for applications on different software platforms.
The Registry Key related to this cache can be found and located as below.
HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache
“Forensic examiners can use indicators they find in the ShimCache data to triage other data sources, such as AmCache.hve file, Prefetch files with sources such as “Service Control Manager” in a timeline. The Service Control Manager starts, stops, and interacts with Windows services via the API that Microsoft Management Console (MMC) and Service Control Utility (SC) also use.”
Lifars – Amcache and Shimcache Forensics
Once again I will point you in the direction of 13Cubed and his episode ‘Let’s Talk About Shimcache – The Most Misunderstood Artifact’.
“In this episode, we’ll take an in-depth look at Windows Shimcache (aka AppCompatCache, or “Application Compatibility Cache”). In my experience, this is the most misunderstood Windows forensic artifact. Let’s clear up the confusion by reviewing the artiFACTS. Then, we’ll jump into a demo and see all of this in action over the course of several reboots.”
This is an amazing video by Richard at 13Cubed on breaking down just what is Shimcache, where I am talking about the tool AmcacheParser. Once I have worked through the Zimmerman suite of tools, I will be using others for parsing the same files as we have done so there will be multiple options for getting information from.
Now that you have a better understanding of the mechanics, lets have a look at the tool.
How do we use AppCompatCacheParser?
The tool comes as an exe (AppCompatCacheParser.exe) from the page of Eric Zimmerman, here.

When downloaded we open a CMD as Admin and go to the location.
From there we can run the command AppCompatCacheParser.exe -h to open up the help to see the options.

From there we run the tool for instance if I run:-
AppCompatCacheParser.exe -f C:\temp\muldwych\Content\C\Windows\System32\config\SYSTEM –csv c:\temp –dt yyyy-MM-ddTHH:mm:ss
- Run AppCompatCacheParser.exe
- -f tells it to use the file at that destination, i.e. C:\temp\muldwych\Content\C\Windows\System32\config\SYSTEM
- –csv tells the tool to export as this type of file and at the directory stated i.e. c:\temp
- –dt tells the tool to use a custom date/time format when displaying time stamps i.e. yyyy-MM-ddTHH:mm:ss
And then when run we get the parsed result for us to investigate.

And from there we get the parsed file to investigate.

We can use either ‘Timeline Explorer’ or plain old Excel 🙂


From here we can see:-
- Last Modified Time UTC
- Path
- Source File
Thanks as always for your time.
Regards
Alex
Good job