Shimcache (AppCompatCache)
Application Compatibility Cache stores up to 1024 executed binary records with full path and last-modified timestamp. Persists even when a binary is deleted.
Where to find it
Default filesystem paths and registry locations. Collect these with your preferred live-response or disk-image tooling.
- $HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache
Forensic significance
Common scenarios in which this artifact becomes decisive evidence.
- Detecting binaries executed and deleted by malware
- Locating renamed copies of known-bad tools (e.g., mimikatz.exe → svchost.exe)
- Establishing long-term execution history that outlives Prefetch
MITRE ATT&CK mapping
Techniques this artifact can help detect or substantiate. Click a technique to view the official MITRE entry.
Tools that parse it
unJaena AI and other DFIR tools commonly used to extract evidence from this artifact.
Related artifacts
Amcache.hve
Compatibility database introduced in Windows 8 that records every PE file executed on the system, including SHA-1 hash, full path, publisher, and first-seen timestamp.
Prefetch Files
Windows Prefetch stores up to the last 8 execution times of a binary along with loaded DLLs and volume information — a foundational timeline artifact for Windows investigations.
BAM / DAM
Background Activity Moderator and Desktop Activity Moderator record last-execution timestamps per user SID for every binary the system considers interactive.
Shell Bags
Windows Explorer view preferences recorded per-folder in UsrClass.dat. Shell Bags prove a user navigated to a folder, even after the folder or attached volume is long gone.
References & further reading
Stop parsing artifacts by hand
unJaena AI ingests disk images, live-response output, and mobile backups, then automatically correlates every artifact on this page — and 200+ more — into an investigator-ready timeline.
Try unJaena AI →