Crow-Eye ShimCache Analyzer

Crow-Eye ShimCache Analyzer is a command-line tool designed for forensic analysis of the Windows Application Compatibility Cache (ShimCache). It extracts execution artifacts from the Windows registry or offline SYSTEM hives, supporting Windows 7, 10, and 11. With robust features like SQLite/JSON/CSV output, UWP entry handling, and timestamp filtering, it empowers investigators to uncover program execution evidence, build timelines, and detect malicious activity. Perfect for digital forensics, incident response, and threat hunting.

What is ShimCache?

The ShimCache (Application Compatibility Cache) is a Windows feature introduced in Windows XP to ensure compatibility for legacy applications. Stored in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache, it logs metadata about executables, including:

• File Path: Full path of the executable.
• Last Modified Time: File’s $STANDARD_INFORMATION timestamp (not execution time).
• File Size: Size of the executable.
• Cache Entry Position: Order of entries (newest first, up to 1024 entries on Windows 7+).

ShimCache entries are written to the registry on system shutdown or reboot, persisting even after file deletion, making it a key artifact for forensic analysis.

Why Use Crow-Eye ShimCache Analyzer?

ShimCache Analyzer unlocks the forensic potential of ShimCache, extracting critical evidence. Based on a related Amcache analysis (4,716 entries across 27 tables), it offers:

• Execution Evidence: Tracks executables (.exe, .dll, .sys) with paths, and last modified times.
• Timeline Analysis: Orders entries by cache_entry_position (newest first).
• Malware Detection: Identifies suspicious executables (e.g., PsExec in unusual directories).
• System Baseline: Maps normal executable patterns to detect anomalies.

Why It Matters: ShimCache persists after file deletion, making it ideal for uncovering hidden threats and building forensic timelines.

Live & Offline Analysis

Live: Extracts ShimCache from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache (or ControlSet001, ControlSet002).
Offline: Parses SYSTEM hives (e.g., C:\Crow Eye\Artifacts Collectors\Target Artifacts\Registry Hives\SYSTEM).

Flexible Output Formats

SQLite (shimcache_data.db): Structured database with shimcache_entries and uwp_invalid_entries tables.
JSON: Human-readable output with detailed metadata.
CSV: Spreadsheet-compatible with headers for paths, timestamps, and more.

UWP Handling

Separates UWP entries into uwp_invalid_entries table.
Supports optional package name extraction (--enable-package-name).
Exports UWP entries to CSV/JSON (--export-uwp).

Sorting & Filtering

Sorts non-UWP entries by last_modified timestamp (--sort-entries).
Sorts UWP entries by cache_entry_position (--sort-uwp-by-position).
Filters pre-2000 timestamps as Unknown (--filter-old-timestamps).

Virtual Environment

Auto-creates C:\Shimcache CLI\venv_shimcache_analyzer and installs tqdm and python-registry.

Robust Error Handling

Retries invalid hive paths (3 attempts, 1-second delay).
Logs errors to C:\Shimcache CLI\shimcache_analyzer.log.
Validates hive files (regf signature).

Database Management

Stores non-UWP entries in shimcache_entries and UWP entries in uwp_invalid_entries.
Prevents duplicates using MD5 hashes.
Tracks parsing time with parsed_timestamp.

Interactive & Non-Interactive Modes

Interactive: Menu-driven interface.
Non-Interactive: Command-line arguments for automation (--non-interactive).

Progress Tracking

Displays a tqdm progress bar for parsing large datasets.

Clone or Download

git clone https://github.com/Ghassan-elsman/ShimCache-Parser-CLI
cd ShimCache-Parser-CLI

Save the Script

Place shicache_cli.py in C:\Shimcache CLI\shicache_cli.py.
Set permissions:
icacls "C:\Shimcache CLI\shicache_cli.py" /grant Everyone:F

Run the Script

Requires Python 3.6+ (tested with 3.12).
Automatically sets up a virtual environment and installs tqdm and python-registry.
C:/Users/Ghass/AppData/Local/Microsoft/WindowsApps/python3.12.exe "C:/Shimcache CLI/shicache_cli.py"

Manual Dependency Installation

If needed:
C:/Users/Ghass/AppData/Local/Microsoft/WindowsApps/python3.12.exe -m pip install tqdm python-registry

Interactive Mode

Launch without arguments for a user-friendly menu:
C:/Users/Ghass/AppData/Local/Microsoft/WindowsApps/python3.12.exe "C:/Shimcache CLI/shicache_cli.py"
Menu Options:
1. Live Analysis
2. Offline Analysis
3. Select Output Format (sqlite, json, csv)
4. Exit

Non-Interactive Mode

Run with command-line arguments:
C:/Users/Ghass/AppData/Local/Microsoft/WindowsApps/python3.12.exe "C:/Shimcache CLI/shicache_cli.py" --sort-entries --enable-package-name --export-uwp
Arguments:

• --sort-entries: Sort non-UWP entries by last_modified timestamp.
• --non-interactive: Skip the menu.
• --enable-package-name: Include package names for UWP entries.
• --sort-uwp-by-position: Sort UWP entries by cache_entry_position.
• --export-uwp: Export UWP entries to CSV/JSON.
• --filter-old-timestamps: Filter pre-2000 timestamps as Unknown.

Examples

Live analysis with JSON output:
Start-Process powershell -Verb RunAs -ArgumentList "-NoProfile -ExecutionPolicy Bypass -Command \"C:/Users/Ghass/AppData/Local/Microsoft/WindowsApps/python3.12.exe 'C:/Shimcache CLI/shicache_cli.py' --sort-entries --output json\""
Offline analysis with CSV output:
C:/Users/Ghass/AppData/Local/Microsoft/WindowsApps/python3.12.exe "C:/Shimcache CLI/shicache_cli.py" --non-interactive --output csv --sort-entries --offline "C:\Crow Eye\Artifacts Collectors\Target Artifacts\Registry Hives\SYSTEM"

SQLite Database

shimcache_entries table:
CREATE TABLE shimcache_entries (
id INTEGER PRIMARY KEY AUTOINCREMENT,
filename TEXT,
path TEXT,
package_name TEXT,
last_modified TEXT,
last_modified_readable TEXT,
data_size INTEGER,
entry_size INTEGER,
cache_entry_position INTEGER,
entry_hash TEXT,
is_uwp BOOLEAN,
parsed_timestamp TIMESTAMP
);
uwp_invalid_entries table:
CREATE TABLE uwp_invalid_entries (
id INTEGER PRIMARY KEY AUTOINCREMENT,
filename TEXT,
path TEXT,
package_name TEXT,
last_modified TEXT,
last_modified_readable TEXT,
data_size INTEGER,
entry_size INTEGER,
cache_entry_position INTEGER,
entry_hash TEXT,
is_uwp BOOLEAN,
parsed_timestamp TIMESTAMP
);

JSON Output

{
"shimcache_entries": [
{
"filename": "notepad.exe",
"path": "c:\\windows\\system32\\notepad.exe",
"last_modified": "2025-01-01T12:00:00Z",
"last_modified_readable": "Jan 01, 2025 12:00:00",
"data_size": 204800,
"entry_size": 1024,
"cache_entry_position": 1,
"entry_hash": "a1b2c3d4e5f6",
"is_uwp": false,
"parsed_timestamp": "2025-07-18T10:00:00"
}
],
"uwp_invalid_entries": []
}

CSV Output

id,filename,path,package_name,last_modified,last_modified_readable,data_size,entry_size,cache_entry_position,entry_hash,is_uwp,parsed_timestamp
1,notepad.exe,c:\windows\system32\notepad.exe,,2025-01-01T12:00:00Z,Jan 01, 2025 12:00:00,204800,1024,1,a1b2c3d4e5f6,0,2025-07-18T10:00:00

ShimCache complements Amcache by focusing on executable metadata, offering similar forensic value as seen in a related Amcache analysis (4,716 entries, 27 tables):

• Timeline Analysis: Orders entries by cache_entry_position (newest first), enabling reconstruction of execution timelines.
• Artifact Recovery: Captures metadata for deleted executables (e.g., 3,022 file entries).
• Threat Hunting: Detects suspicious executables (e.g., PsExec, renamed malware) in unusual paths.
• System Baseline: Establishes normal executable patterns for anomaly detection.
• Security Posture: Identifies unsigned or tampered executables via last_modified discrepancies.

Pro Tip: Combine ShimCache with Amcache, Prefetch, and Event Logs for a comprehensive forensic timeline.

What systems does ShimCache Analyzer support?

Live analysis requires Windows 7+. Offline analysis works on any OS with Python 3.6+.

Why do I need admin privileges?

Live analysis accesses the locked SYSTEM registry hive, requiring administrative rights.

How does it handle UWP entries?

UWP entries are stored in uwp_invalid_entries with optional package names (--enable-package-name) and can be exported separately (--export-uwp).

Where are outputs saved?

Outputs are saved to C:\Shimcache CLI (e.g., shimcache_data.db, shimcache_data.json, shimcache_data.csv).

Why are some timestamps invalid?

UWP entries often lack valid timestamps. Use --filter-old-timestamps to mark pre-2000 timestamps as Unknown.

• OS: Windows 7+ (live analysis).
• Python: 3.6+ (tested with 3.12).
• Dependencies: tqdm, python-registry (auto-installed).
• Permissions: Admin rights for live analysis.
• Disk Space: Space for database and output files.

Join the community at github.com/Ghassan-elsman/ShimCache-Parser-CLI. Submit pull requests or issues to enhance the tool, ensuring Windows 7+ compatibility and robust error handling.