Built off the open source project Osquery
Description: Shimcache keeps a record of file execution or its existence in the Shim Database. ShimCache operates like a proxy layer between the older application and new OSs. This leaves a trail of evidence of forensic use for IR SMEs. The cache is can be located in one of the following locations HKLM\CurrentControlSet\Control\Session Manager\AppCompatibility\AppCompatCache
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache. Records in the Shim is from the time the host was last rebooted. Data is written to the system during the reboot sequence, until then it is held in memory.
What The Data Shows: Incident responders can use the shim cache data to determine a file's execution or if it has been executed. It provides the full path, executable name, registration timestamp on the Shim DB.
SQL: SELECT * from appcompat_shims;
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.