The ShimCache shows executables that were present on a Windows system. This does not mean that the executables on the system were run! The ShimCache can prove that a file existed on the system even if it was deleted. Further investigating will need to take place whether the executable was ran or not.

The Prefetch and ShimCache both show executables on a system. The main difference is that the Prefetch is disabled on Windows servers while the ShimCache is not. The ShimCache is a valuable artifact when investigating whether an executable was present on a Windows server.

The ShimCache is only written to after a system shutdown. This can be a problem if you are investigating a Windows Server box as these systems are usually active for months or years until they need to be shutdown. The ShimCache has data from the last time the system was shutdown, not information that is current. It is possible to capture the ShimCache memory to prevent having to shutdown a system by using the ShimCacheMem plugin of Volatility 2.

The ShimCache functions differently depending on the Windows operating system on the box. The Leveraging the Application Compatibility Cache in Forensic Investigations – Mandiant article details these changes.

The metadata of each executable is stored in the ShimCache which includes:

• File name.
• File size.
• Last modified time (when the file was put on the system or first run).
• Last execution time (depending on OS).

The ShimCache can be found at the following locations:

• Windows 2000 and XP: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility\AppCompatCache
• Windows 2003 and later: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache