Shimcache Parser

Shimcache Parser — Blog https://www.shimcacheparser.com/en/blog Latest from Blog en Tue, 26 May 2026 18:41:27 GMT Legacy ShimCache formats: Windows XP, 2003, Vista, 7 and 8 https://www.shimcacheparser.com/en/blog/legacy-shimcache-formats https://www.shimcacheparser.com/en/blog/legacy-shimcache-formats The AppCompatCache binary layout changed with almost every Windows release. This is a per-version reference to the older formats — XP, Server 2003, Vista/2008, Windows 7, and 8 — and the magic values that identify them. Shimcache Parser Tue, 19 May 2026 00:00:00 GMT Does the ShimCache record deleted files? https://www.shimcacheparser.com/en/blog/shimcache-deleted-files https://www.shimcacheparser.com/en/blog/shimcache-deleted-files Yes — and that's exactly why it matters. The ShimCache routinely retains entries for executables that no longer exist on disk. Here is why, how long they survive, and how to use deleted-file entries as evidence. Shimcache Parser Tue, 19 May 2026 00:00:00 GMT Detecting lateral movement with the ShimCache https://www.shimcacheparser.com/en/blog/shimcache-lateral-movement https://www.shimcacheparser.com/en/blog/shimcache-lateral-movement Remote-execution tooling leaves a recognizable ShimCache footprint on both source and destination hosts. This is a practical guide to using AppCompatCache to reconstruct lateral movement across a Windows estate. Shimcache Parser Tue, 19 May 2026 00:00:00 GMT What the ShimCache timestamp actually means (and what it doesn't) https://www.shimcacheparser.com/en/blog/shimcache-timestamp-explained https://www.shimcacheparser.com/en/blog/shimcache-timestamp-explained The timestamp in a ShimCache entry is the file's last-modified time — not when the program ran. Here is exactly what the value is, why it misleads investigators, and how to use it correctly. Shimcache Parser Tue, 19 May 2026 00:00:00 GMT ShimCache vs Prefetch: which one proves a program ran? https://www.shimcacheparser.com/en/blog/shimcache-vs-prefetch https://www.shimcacheparser.com/en/blog/shimcache-vs-prefetch Prefetch records execution; ShimCache records that Windows examined a file. They answer different questions with different reliability. A practical head-to-head for investigators. Shimcache Parser Tue, 19 May 2026 00:00:00 GMT Can attackers clear the ShimCache? Anti-forensics and detection https://www.shimcacheparser.com/en/blog/shimcache-anti-forensics https://www.shimcacheparser.com/en/blog/shimcache-anti-forensics The ShimCache can be tampered with — but rarely cleanly. This post catalogs how attackers try to wipe or modify shimcache entries, and the forensic tells investigators can use to spot it. Shimcache Parser Sun, 17 May 2026 00:00:00 GMT Extracting the ShimCache from a memory dump https://www.shimcacheparser.com/en/blog/shimcache-from-memory-dump https://www.shimcacheparser.com/en/blog/shimcache-from-memory-dump Because the Windows ShimCache only flushes to the registry at shutdown, a memory dump often holds entries the on-disk hive doesn't. This guide covers extraction with Volatility and Velociraptor. Shimcache Parser Sun, 17 May 2026 00:00:00 GMT Building a program-execution timeline from a SYSTEM hive https://www.shimcacheparser.com/en/blog/shimcache-incident-timeline https://www.shimcacheparser.com/en/blog/shimcache-incident-timeline A timeline that fuses ShimCache, AmCache, Prefetch, and the SYSTEM hive's BAM data is the backbone of most Windows IR reports. This guide walks through assembling one end-to-end. Shimcache Parser Sun, 17 May 2026 00:00:00 GMT Hunting malware with the ShimCache: a step-by-step workflow https://www.shimcacheparser.com/en/blog/shimcache-malware-hunting https://www.shimcacheparser.com/en/blog/shimcache-malware-hunting A practical workflow for using the Windows ShimCache to surface suspicious binaries during threat hunting and incident response — what to look for, how to triage hits, and how to corroborate them. Shimcache Parser Sun, 17 May 2026 00:00:00 GMT Using the ShimCache in ransomware investigations https://www.shimcacheparser.com/en/blog/shimcache-ransomware-investigation https://www.shimcacheparser.com/en/blog/shimcache-ransomware-investigation Ransomware actors routinely delete their tools, encrypt and wipe, and reboot to cover tracks. The ShimCache is one of the few artifacts that still answers basic questions after that. Here is how to use it. Shimcache Parser Sun, 17 May 2026 00:00:00 GMT How to acquire a Windows SYSTEM hive for offline ShimCache analysis https://www.shimcacheparser.com/en/blog/acquiring-system-hive https://www.shimcacheparser.com/en/blog/acquiring-system-hive A practical guide to extracting the Windows SYSTEM registry hive (and its transaction logs) for offline forensic analysis — from a dead disk, a live system, or a memory image. Shimcache Parser Sat, 16 May 2026 00:00:00 GMT Comparing ShimCache parsers: Mandiant, Zimmerman, Velociraptor, and this tool https://www.shimcacheparser.com/en/blog/comparing-shimcache-parsers https://www.shimcacheparser.com/en/blog/comparing-shimcache-parsers Four open tools dominate offline ShimCache parsing — each with different strengths. A practical comparison for picking the right one for your workflow. Shimcache Parser Sat, 16 May 2026 00:00:00 GMT Prefetch, AmCache, ShimCache: a quick reference for program-execution evidence https://www.shimcacheparser.com/en/blog/program-execution-artifacts-reference https://www.shimcacheparser.com/en/blog/program-execution-artifacts-reference A side-by-side reference of the five Windows artifacts most useful for proving program execution — Prefetch, AmCache, ShimCache, UserAssist, BAM/DAM — with their reliability and limitations. Shimcache Parser Sat, 16 May 2026 00:00:00 GMT Does the ShimCache prove a program was executed? https://www.shimcacheparser.com/en/blog/shimcache-proof-of-execution https://www.shimcacheparser.com/en/blog/shimcache-proof-of-execution A ShimCache entry is regularly mistaken for proof that a binary ran. The truth is more nuanced — here is what the cache actually records, and how to confirm execution properly. Shimcache Parser Sat, 16 May 2026 00:00:00 GMT ShimCache vs AmCache: which Windows artifact answers which question https://www.shimcacheparser.com/en/blog/shimcache-vs-amcache https://www.shimcacheparser.com/en/blog/shimcache-vs-amcache ShimCache and AmCache both surface program-execution evidence on Windows, but they record different things, on different schedules, with different reliability. A practical comparison for forensic investigators. Shimcache Parser Sat, 16 May 2026 00:00:00 GMT Where is the ShimCache stored, and when is it written? https://www.shimcacheparser.com/en/blog/where-is-shimcache-stored https://www.shimcacheparser.com/en/blog/where-is-shimcache-stored The Windows ShimCache lives in a single registry value but is only persisted at shutdown. Understanding its storage path and write timing changes how investigators handle volatile evidence. Shimcache Parser Sat, 16 May 2026 00:00:00 GMT Parsing the ShimCache: the Windows 10 and 11 binary format https://www.shimcacheparser.com/en/blog/windows-10-11-shimcache-format https://www.shimcacheparser.com/en/blog/windows-10-11-shimcache-format A practical walk through the Windows 10 and 11 AppCompatCache binary layout — header bytes, per-entry magic, path encoding, and the offsets a parser needs to get right. Shimcache Parser Sat, 16 May 2026 00:00:00 GMT Understanding the Windows ShimCache (AppCompatCache) https://www.shimcacheparser.com/en/blog/welcome https://www.shimcacheparser.com/en/blog/welcome A practical primer on the Windows ShimCache — where it lives, what it records, and how forensic investigators use it to prove program existence. Shimcache Parser Fri, 15 May 2026 00:00:00 GMT