ShimCache and AmCache are Windows artifacts that contain information about recently executed applications. They can be analyzed to determine which applications have been run on a system and when they were executed. This information can be useful in forensic investigations and incident response activities to understand system activity and potential indicators of compromise. Tools such as Mandiant Redline and Volatility can be used to extract and analyze information from these artifacts.
AmCache
The Application Compatibility Infrastructure was first introduced in Windows XP, and the AmCache is an artifact that contains metadata related to program execution and installation on Windows Server 2008 R2, Windows 7, and later versions of Windows. The AmCache.hve stores information about executables, including their full path, last modification time, SHA1 hash, and in some versions, file information such as version, product name, company name, and description. For programs installed via an installer, associated entries can be found in the Amcache.hve\Root\File\ and Amcache.hve\Root\Programs keys. By browsing to the Amcache.hve\Root\File{Volume GUID}\ key in a tool like Registry Explorer, you can determine the exact volume an executable was run from using the Volume GUID found under System\MountedDevices. The first time a specific program was executed can be determined by the last write time of the numeric key in the AmCache.hve\Root\File{Volume GUID}\ key.
When examining an older system that has undergone multiple upgrades, traces of files from previous versions of AmCache may still exist. Furthermore, Microsoft has changed the behavior of AmCache over time, which can impact the interpretation of information gathered from it. For example, in some versions of AmCache, the last write date of keys may not correspond to the date of execution of the PE, while in more recent versions, it does so more frequently. It is important for forensic examiners to consider the complexity of the Shim infrastructure and the challenges it presents in interpreting artifacts in a forensically sound manner. While experiments can help confirm the meaning of the presence of an element in a file or registry key, they are not a substitute for source code analysis. In addition, it is generally safer to rely on the presence of an element to draw conclusions, rather than reasoning based on its absence.
The Application Compatibility Infrastructure, also known as the Shim Infrastructure, allows applications to run even if they are no longer fully compatible with the running system or if the version of a dependency has changed. The Shim Infrastructure provides two artifacts for digital investigators: the ShimCache and, since Windows 7, the AmCache. Both of these artifacts store information about executed applications and installed programs. The AmCache is currently available in two different formats: a BCF file called RecentFileCache.bcf and a registry hive called AmCache.hve. Unlike other artifacts, the format used for AmCache does not depend on the version of the operating system, but rather on the version of the libraries responsible for filling the cache.
In the article, Blanche Lagny explains that the behavior of the AmCache is not determined by the operating system version of the system, but rather by the version of the libraries responsible for filling the cache. This means that the format used for AmCache may vary depending on the version of the libraries, even if the operating system version remains the same. It is important for digital investigators to be aware of these nuances when analyzing the AmCache artifact.
In Windows 10, version 20H2 (OS build 19042.928), the AmCache.hve stores registry keys related to various types of installed programs and their components, including shortcuts which are located under the “Root\InventoryApplicationShortcut” key. Those registry keys:
DeviceCensus
DriverPackageExtended
InventoryApplication
InventoryApplicationAppV
InventoryApplicationDriver
InventoryApplicationFile
InventoryApplicationFramework
InventoryApplicationShortcut
InventoryDeviceContainer
InventoryDeviceInterface
InventoryDeviceMediaClass
InventoryDevicePnp
InventoryDeviceUsbHubClass
InventoryDriverBinary
InventoryDriverPackage
InventoryMiscellaneousMemorySlotArrayInfo
InventoryMiscellaneousOfficeAddIn
InventoryMiscellaneousOfficeAddInUsage
InventoryMiscellaneousOfficeIdentifiers
InventoryMiscellaneousOfficeIESettings
InventoryMiscellaneousOfficeInsights
InventoryMiscellaneousOfficeProducts
InventoryMiscellaneousOfficeSettings
InventoryMiscellaneousOfficeVBA
InventoryMiscellaneousOfficeVBARuleViolations
InventoryMiscellaneousUUPInfo
Each subkey under this key represents a shortcut and contains information about the target of the lnk file, which is often truncated, along with an unknown identifier. The subkey also contains a single value that points to the shortcut.
Path:
%systemdrive%\Windows\AppCompat\Programs\AmCache.hve
Tools
AmcacheParser
As for related tools,RecentFileCache.bcf and AmCache.hve can be parsed respectively by RecentFileCacheParser and AmcacheParser, both by Eric Zimmerman.
AmcacheParser.exe -f C:\Windows\appcompat\Programs\Amcache.hve --csv registryThe command “AmcacheParser.exe -f C:\Windows\appcompat\Programs\Amcache.hve — csv registry” uses the AmcacheParser tool by Eric Zimmerman to parse the AmCache.hve file located at “C:\Windows\appcompat\Programs” and outputs the results in CSV format with the header “registry”.
Outputs:
[DateTime]_Amcache_DeviceContainer.csv
[DateTime]_Amcache_DevicePnps.csv
[DateTime]_Amcache_DriveBinaries.csv
[DateTime]_Amcache_DrivePackages.csv
[DateTime]_Amcache_ShortCuts.csv
[DateTime]_Amcache_UnassociatedFileEntries.csvThere is also a Regripper parser for AmCache.hve, created by Harlan Carvey.
Regripper is a popular open-source tool used for Windows registry analysis in digital forensics and incident response. It allows the user to extract and analyze information from different hives of the Windows registry. The Regripper tool is available as a set of plugins, each designed to extract specific information from a particular registry key. One of the plugins is specifically designed for analyzing the AmCache.hve file and extracting relevant information.
The Regripper AmCache plugin can extract various information from the AmCache.hve file, including executable file paths, last modification times, SHA-1 hashes, and file size. The plugin can also extract information about installed applications, such as version numbers, product names, and company names. The output generated by the plugin can be saved in different formats, including CSV, XML, and HTML.
Regripper can be run from the command line, and the syntax for running the AmCache plugin is as follows:
rip.exe -r <registry hive> -p amcacheOverall, Regripper is a powerful tool that can be used to extract and analyze information from various Windows registry hives, including the AmCache.hve file.
ShimCache
The Application Compatibility Cache (Shimcache) and the AmCache serve similar functions of storing information about executed applications and installed programs, but there are some differences. The Shimcache is designed to provide backward compatibility for programs meant to run on older versions of Windows, while the AmCache is not limited to any particular version of the OS. Additionally, the Shimcache is stored in the registry, while the AmCache can be stored in either the registry or a BCF file. The Shimcache also stores more specific data related to program compatibility, such as process execution flags, while the AmCache stores a broader range of information, including device and driver information, shortcut information, and inventory data.
This evidence stores various file metadata, such as: File Full Path, File Size ,$Standard_Information (SI) Last Modified time, Shimcache Last Updated time, and Process Execution Flag. One of the more interesting aspects of AppCompatCache is that each application is checked regardless of whether it has been shimmed.
Tools
AppCompatCacheParser by Eric Zimmerman parses the AppCompatCache data stored in the registry, not the SYSTEM registry hive. It can parse the data from the Shimcache as well as the Amcache. The tool extracts information such as file path, last modified time, and execution flag and can output the data in various formats including CSV, XML, and JSON.
AppCompatCacheParser.exe -f C:\Windows\System32\config\SYSTEM --csv E:\AppCompatCachePowerShell can be used to gather both Amcache and Shimcache:
# Specify the path where you want to save the output files
$outputPath = "C:\Output"
# Download the AmcacheParser from github repository
Invoke-WebRequest -Uri "https://ericzimmerman.github.io/Downloads/AmcacheParser.zip" -OutFile "C:\path\to\AmcacheParser.zip"
# Gather Amcache
$amcache = & "C:\Path\To\AmcacheParser.exe" -f "C:\Windows\AppCompat\Programs\Amcache.hve" -csv -o "$outputPath\Amcache.csv"
# Gather Shimcache
$shimcache = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache" | Export-Csv "$outputPath\Shimcache.csv" -NoTypeInformationThe output files will be saved to the path specified in the $outputPath variable.
The ShimCache and AmCache are both artifacts within the Windows Application Compatibility Infrastructure, but there are some differences between them:
- Purpose: The ShimCache was initially designed to store information about the compatibility of applications with the operating system, while the AmCache was later introduced to provide a more detailed inventory of installed applications and their usage.
- Location: The ShimCache is stored in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache, while the AmCache is stored either as a BCF file or a registry hive file in the \Windows\AppCompat\Programs directory.
- Format: The ShimCache is a binary format that contains information about application executables and libraries, while the AmCache can be stored in two formats: BCF or registry hive, and it contains more detailed information about installed applications and their usage, such as installation paths, file properties, and shortcuts.
- Data retention: The ShimCache has a limited data retention period and can be cleared by various system events or tools, while the AmCache has a longer data retention period and can provide a more comprehensive historical view of application usage.
- Overall, the ShimCache and AmCache both provide valuable information to forensic investigators, but the AmCache can provide more detailed and historical data about installed applications and their usage.
In conclusion, the Application Compatibility Infrastructure, also known as the Shim Infrastructure, is a feature of Windows operating systems that allows applications to run even if they are no longer fully compatible with the running system or if the version of a dependency has changed. The Shim Infrastructure provides two artifacts for digital forensic investigators: the Shimcache and the AmCache. The Shimcache stores information about executables and installed programs and can be used to determine what PE was executed on Windows, and can assist in hunting malware. The AmCache is a more recent artifact that stores similar information as the Shimcache but has different formats that depend on the version of the libraries in charge of filling the cache. Several tools, such as AmcacheParser, RecentFileCacheParser, and Regripper parser, can be used to parse the Shimcache and AmCache artifacts. AppCompatCacheParser is another tool that can parse the data stored in the SYSTEM registry hive. All of these tools are useful for digital forensic investigators in analyzing artifacts left behind by the Application Compatibility Infrastructure.
