Shimcache

Windows Shimcache (also called: AppCompatCache, Application Compatability Cache, or AppCompat) are Registry entries that may^* indicate application execution. These entries are only written when the system is shutdown or restarted.

^* While an entry in Shimcache often implies the application was executed, Windows may pre-populate Shimcache with entries based on a user browsing to a directory that contains an application.

Other parsers:

• Velociraptor
• RegistryExplorer

References:

• Shimcache
• Libyal

TOML Collection

system = "windows"

[output]
name = "shimcache_collection"
directory = "./tmp"
format = "json"
compress = false
endpoint_id = "6c51b123-1522-4572-9f2a-0bd5abd81b82"
collection_id = 1
output = "local"

[[artifacts]]
artifact_name = "shimcache"
[artifacts.shimcache]
# Optional
# alt_drive = 'D'

Collection Options

• alt_drive Expects a single character value. Will use an alternative drive letter when parsing Shimcache. This configuration is optional. By default artemis will use the %systemdrive% value (typically C)

Output Structure

An array of Shimcache entries

export interface Shimcache {
  /**Entry number for shimcache. Entry zero (0) is most recent execution */
  entry: number;
  /**Full path to application file */
  path: string;
  /**Standard Information Modified timestamp in UNIXEPOCH seconds */
  last_modified: number;
  /**Full path to the Registry key */
  key_path: string;
}