ShimCache (AppCompatCache)
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCacheShimCache is Windows' application compatibility cache. It records metadata for executables that the OS has seen or touched — even ones that were never fully launched. For investigators, it is one of the most reliable ways to prove a file existed on a system at a specific point in time, regardless of whether it was deleted afterward.
Key Name
AppCompatCache — binary value, written on shutdown
Trace Type
Execution File Existence
Hive
SYSTEM
Last Write Time
Reflects when the cache was last flushed to disk — only on a clean shutdown or restart. A timestamp that does not align with your activity window suggests a live-system capture gap or potential tampering.
User Specific
No System-wide. Applies to all accounts including SYSTEM and service accounts.
Forensic Value
- Prove file existence post-deletion: A ShimCache entry persists even after the source file is wiped from the MFT. Cross-reference these entries with AmCache to verify binary metadata and execution history.
- Detect timestomping: ShimCache captures the file's Last Modified time at cache creation. Compare this with AppCompatFlags data to identify inconsistencies in executable behavior.
- Map program presence across the system: Because ShimCache is not user-scoped, it captures executables run by any account including SYSTEM-level processes and services.
For more Info check out these Articles: AmCache, AppCompatFlags