The Windows ShimCache — also called the Application Compatibility Cache (AppCompatCache) — is one of the most-cited artifacts in modern Windows incident response. It's also one of the most misunderstood. This short primer walks through what it actually records, where it lives, and how investigators should (and shouldn't) interpret it.
What the ShimCache records
When Windows examines an executable to decide whether a compatibility shim needs to be applied, it records that examination in the ShimCache. Up to 1,024 entries are retained per system, each containing at least:
- the full file path of the executable,
- the
$STANDARD_INFORMATIONlast-modified timestamp of the file, - and, on older versions of Windows, flags describing whether the file was executed.
The cache lives in volatile memory while the system is running and is flushed to the registry only at shutdown. That timing detail matters: a hard reboot or a power-cycled VM can lose recent entries entirely.
Where it lives
The ShimCache lives in the SYSTEM hive at:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache
The value is a single binary blob whose structure varies by Windows version — XP, 7, 8, 8.1, 10, and 11 each use a slightly different layout. Parsing it offline means extracting the value and decoding it according to the right schema. That is exactly what this tool does, entirely in your browser, with no upload step.
Forensic value
ShimCache is most often used to demonstrate program existence: a particular binary was, at some point, present on disk on a specific host. That is useful for:
- attributing malware presence even after the file has been wiped,
- enriching execution timelines built from Prefetch or AmCache,
- and corroborating findings from EDR or Sysmon telemetry.
Three caveats that bite
- The timestamp is the file's mtime, not the execution time. A binary copied without preserving timestamps will show its original mtime.
- An entry is not proof of execution. On Windows 10 and 11 the in-cache execution flag was removed entirely. Pair the ShimCache with Prefetch, AmCache, and event logs before claiming a program ran.
- The cache fills, evicts, and is wiped at shutdown. Recent entries that never made it to disk are simply gone.
Used carefully and corroborated with other artifacts, the ShimCache is a high-signal pivot point. Treat each entry as a hypothesis to confirm, not a conclusion.
Where to go next
If you'd like to dig deeper, the rest of the blog is organized into two clusters.
Understanding the ShimCache
- ShimCache vs AmCache: which Windows artifact answers which question
- Does the ShimCache prove a program was executed?
- Where is the ShimCache stored, and when is it written?
- Prefetch, AmCache, ShimCache: a quick reference for program-execution evidence
- Parsing the ShimCache: the Windows 10 and 11 binary format
Using it in investigations
- How to acquire a Windows SYSTEM hive for offline ShimCache analysis
- Hunting malware with the ShimCache: a step-by-step workflow
- Using the ShimCache in ransomware investigations
- Extracting the ShimCache from a memory dump
- Can attackers clear the ShimCache? Anti-forensics and detection
- Building a program-execution timeline from a SYSTEM hive
- Comparing ShimCache parsers: Mandiant, Zimmerman, Velociraptor, and this tool