Parse the Windows Shimcache in your browser.
Drop a SYSTEM registry hive and instantly extract every AppCompatCache entry — file path, last-modified time, and OS format — without ever uploading the file.
Everything runs locally. Your hive never leaves this page.
Shimcache forensics — frequently asked questions
Quick answers to the questions investigators ask most when analyzing the Windows AppCompatCache.
- What is the Windows ShimCache (AppCompatCache)?
- The ShimCache, also called AppCompatCache, is a Windows feature that tracks executables the operating system has examined for application-compatibility shimming. It stores up to 1,024 entries per system, including the file path and last-modified timestamp. Investigators rely on it as evidence that a binary existed on a machine — even after the file has been deleted.
- Does a ShimCache entry prove a program was executed?
- No. ShimCache records files that Windows examined, which often (but not always) implies execution. On Windows 10 and 11 the in-cache execution flag was removed, so corroborating artifacts — Prefetch, AmCache, Security or Sysmon event logs — are required to confirm a program actually ran.
- Why doesn't the ShimCache timestamp match when the program ran?
- The displayed timestamp is the file's last-modified time ($STANDARD_INFORMATION), not the time of execution. A binary copied without timestamp changes will show its original mtime. Treat ShimCache as a 'program existence' artifact, not a 'program execution' timeline.
- Can ShimCache entries be deleted or tampered with?
- Yes. ShimCache is held in memory and only flushed to the SYSTEM hive on shutdown, so a hard reboot can lose recent entries. Anti-forensic tools and registry edits can also clear or modify it. Always corroborate findings with AmCache, Prefetch, and event-log evidence.
- What is the difference between ShimCache and AmCache?
- ShimCache lives in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache and stores up to 1,024 path + mtime entries. AmCache (Amcache.hve) is a separate database that tracks installed programs and recently executed files with SHA-1 hashes and far richer metadata. The two artifacts complement each other in forensic timelines.