shimcache#
$ target-query <path/to/target> -f shimcache
Module |
|
Output |
|
Module documentation
Shimcache plugin.
Function documentation
Return the shimcache.
The ShimCache or AppCompatCache stores registry keys related to properties from older Windows versions for compatibility purposes. Since it contains information about files such as the last modified date and the file size, it can be useful in forensic investigations.
- References:
- Yields ShimcacheRecords with the following fields:
hostname (string): The target hostname. domain (string): The target domain. last_modified (datetime): The last modified date. name (string): The value name. index (varint): The index of the entry. path (uri): The parsed path.