So it seems Microsoft has tweaked the format of AppCompatCache, aka shimcache, yet again with the latest release (or soon to be released) of Windows 10 (Creators update).
Here is an example of what ControlSet001\Control\Session Manager\AppCompatCache looked like on Windows 10 prior to Creators update:
And this is what it looks like in Creators update:
As you can see, the signature has changed from 0x30 to 0x34 and the initial record (signature 10ts) has now been shifted 4 bytes from where it used to be.
This pretty much breaks all AppCompatCache parsers:
Registry Explorer plugin failure:
AppCompatCacheParser failure:
Mandiant ShimCacheParser failure:
An issue was filed here about this issue, so it shouldn’t be long before ShimCacheParser gets updated.
Updating AppCompatCacheParser
After noticing this difference, I extracted out a SYSTEM hive from Creators update, added a new unit test, and wrote some new code.
The result?
Repeating our test from above with AppCompcatCacheParser, we now get:
AppCompatCacheParser has been updated to 0.9.7.0 and is now available in the usual place. An updated Chocolatey package is also under review.
Enjoy!
Article Link: http://binaryforay.blogspot.com/2017/03/windows-10-creators-update-vs-shimcache.html