Difference between revisions of "Windows Application Compatibility"

From ForensicsWiki
Jump to: navigation, search
(External Links)
(External Links)
 
Line 44: Line 44:
 
* [https://www.fireeye.com/blog/threat-research/2015/10/shim_shady_live_inv.html Shim Shady: Live Investigations of the Application Compatibility Cache], by Fred House, Claudiu Teodorescu, Andrew Davis, October 27, 2015
 
* [https://www.fireeye.com/blog/threat-research/2015/10/shim_shady_live_inv.html Shim Shady: Live Investigations of the Application Compatibility Cache], by Fred House, Claudiu Teodorescu, Andrew Davis, October 27, 2015
 
* [https://www.fireeye.com/blog/threat-research/2015/10/shim_shady_live_inv/shim-shady-part-2.html Shim Shady Part 2]
 
* [https://www.fireeye.com/blog/threat-research/2015/10/shim_shady_live_inv/shim-shady-part-2.html Shim Shady Part 2]
 +
* [http://subt0x10.blogspot.ch/2017/05/using-application-compatibility-shims.html Using Application Compatibility Shims]
 +
* [https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence]

Latest revision as of 20:03, 4 May 2017

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

sysmain.sdb

System compatibility database.

RecentFileCache.bcf

In Windows 7 the RecentFileCache.bcf file is stored in:

C:\Windows\AppCompat\Programs\

Amcache.hve

The Amcache.hve file is a Windows NT Registry File (REGF).

In Windows 8 the Amcache.hve file is stored in:

C:\Windows\AppCompat\Programs\

AppCompatCache

In Windows 2000 and XP:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility

In Windows 2003 and later:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

External Links