Awesome
AppCompatCacheParser
Command Line Interface
AppCompatCache Parser version 1.4.4.0
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/AppCompatCacheParser
c The ControlSet to parse. Default is to extract all control sets.
f Full path to SYSTEM hive to process. If this option is not specified, the live Registry will be used
t Sorts last modified timestamps in descending order
csv Directory to save CSV formatted results to. Required
csvf File name to save CSV formatted results to. When present, overrides default name
debug Debug mode
dt The custom date/time format to use when displaying timestamps. See https://goo.gl/CNVq0k for options. Default is: yyyy-MM-dd HH:mm:ss
nl When true, ignore transaction log files for dirty hives. Default is FALSE
Examples: AppCompatCacheParser.exe --csv c:\temp -t -c 2
AppCompatCacheParser.exe --csv c:\temp --csvf results.csv
Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes
Documentation
AppCompatCache (ShimCache) parser. Supports Windows XP, Windows 7 (x86 and x64), Windows 8.x, Windows 10, and Windows 11.
Introducing AppCompatCacheParser
AppCompatCacheParser v0.0.5.1 released
AppCompatCacheParser v0.0.5.2 released
AppCompatCacheParser v0.9.0.0 released and some AppCompatCache/shimcache parser testing
Windows 10 Creators update vs shimcache parsers: Fight!!
Everything gets an update, Sept 2018 edition
Windows Registry Knowledge Base
Download Eric Zimmerman's Tools
All of Eric Zimmerman's tools can be downloaded here. Use the Get-ZimmermanTools PowerShell script to automate the download and updating of the EZ Tools suite. Additionally, you can automate each of these tools using KAPE!
Special Thanks
Open Source Development funding and support provided by the following contributors: SANS Institute and SANS DFIR.