/AppCompatCacheParser

AppCompatCache (shimcache) parser. Supports Windows 7 (x86 and x64), Windows 8.x, and Windows 10

Primary LanguageC#MIT LicenseMIT

AppCompatCacheParser

Command Line Interface

AppCompatCache Parser version 1.4.4.0

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/AppCompatCacheParser

        c               The ControlSet to parse. Default is to extract all control sets.
        f               Full path to SYSTEM hive to process. If this option is not specified, the live Registry will be used
        t               Sorts last modified timestamps in descending order

        csv             Directory to save CSV formatted results to. Required
        csvf            File name to save CSV formatted results to. When present, overrides default name

        debug           Debug mode
        dt              The custom date/time format to use when displaying timestamps. See https://goo.gl/CNVq0k for options. Default is: yyyy-MM-dd HH:mm:ss
        nl              When true, ignore transaction log files for dirty hives. Default is FALSE

Examples: AppCompatCacheParser.exe --csv c:\temp -t -c 2
          AppCompatCacheParser.exe --csv c:\temp --csvf results.csv

          Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes

Documentation

AppCompatCache (ShimCache) parser. Supports Windows XP, Windows 7 (x86 and x64), Windows 8.x, Windows 10, and Windows 11.

Introducing AppCompatCacheParser

AppCompatCacheParser v0.0.5.1 released

AppCompatCacheParser v0.0.5.2 released

AppCompatCacheParser v0.9.0.0 released and some AppCompatCache/shimcache parser testing

Windows 10 Creators update vs shimcache parsers: Fight!!

Updates to the left of me, updates to the right of me, version 1 releases are here (for the most part)

Everything gets an update, Sept 2018 edition

Locked file support added to AmcacheParser, AppCompatCacheParser, MFTECmd, ShellBags Explorer (and SBECmd), and Registry Explorer (and RECmd)

Windows Registry Knowledge Base

Download Eric Zimmerman's Tools

All of Eric Zimmerman's tools can be downloaded here. Use the Get-ZimmermanTools PowerShell script to automate the download and updating of the EZ Tools suite. Additionally, you can automate each of these tools using KAPE!

Special Thanks

Open Source Development funding and support provided by the following contributors: SANS Institute and SANS DFIR.