Where is ShimCache stored?

Inside the SYSTEM registry hive at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache. It is a single binary blob value, not a tree of keys.

How many entries does ShimCache hold?

Up to 1024 entries on Windows 7+. When the limit is reached, oldest entries are evicted in LRU fashion.

Does ShimCache record file hashes?

No. ShimCache records file path, modification timestamp, and an execution flag — but no SHA-1, no publisher, no version. For hash and metadata, use Amcache.

When does ShimCache update?

Whenever the kernel loader touches a binary — loads it, executes it, or in some cases just stats it. Updates are held in kernel memory and flushed to disk on clean shutdown.

Why is ShimCache stale on a live system?

Because updates are flushed only on shutdown. The on-disk ShimCache reflects state as of the last clean reboot. For fresh ShimCache from a live system, capture memory and extract via Volatility.

What is ShimCache (AppCompatCache)? (glossary)

ShimCache (also called AppCompatCache) is a kernel-maintained binary cache in the SYSTEM registry hive that records up to 1024 PE binaries the Windows loader has touched, with the file path, a modification timestamp, and an execution flag.

It is older than Amcache, smaller than Amcache, and answers a different but overlapping question. Confusing the two produces wrong findings.

ShimCache vs Amcache#

	ShimCache	Amcache
Storage	`SYSTEM` hive, binary value	`Amcache.hve`
Maintainer	Kernel loader	User-mode scheduled task
Max entries	1024	Effectively unbounded
Records hash?	No	Yes (SHA-1)
Records publisher / version?	No	Yes
Records `ProgramId`?	No	Yes
Fresh on live system?	No (need shutdown)	Yes
Available pre-Windows 8	Yes	No (Amcache is Win 8+)
Updated by	Loader touches	Appraiser scans

For full coverage, see Amcache vs ShimCache.

When ShimCache wins#

Kernel-touch evidence. ShimCache records loader touches more aggressively than Amcache records presence.
Memory-only acquisitions. Volatility's shimcachemem plugin extracts ShimCache cleanly from RAM.
Hardened hosts with appraiser disabled. ShimCache is maintained by the kernel; it persists even when the appraiser is off.
Pre-Windows 10 1709. The modern Amcache schema only landed in 1709; ShimCache has been there since Windows XP.

When Amcache wins#

Hashes for VirusTotal. ShimCache has no hash. Amcache has SHA-1.
Cross-host hunts. ShimCache has no ProgramId, no hash, just paths.
Driver / device evidence. ShimCache is PE-only. Amcache has separate driver and device schemas.
Long-window retention. ShimCache rolls over at 1024 entries; Amcache holds thousands.

For the broader execution-evidence comparison, see Amcache vs Prefetch.

Amcache.hve — the modern inventory artefact.
Prefetch — the execution-evidence artefact.
InventoryApplicationFile — the Amcache equivalent to ShimCache's main blob.

What is ShimCache (AppCompatCache)? (glossary)

ShimCache vs Amcache#

When ShimCache wins#

When Amcache wins#

Related terms#

Related posts