Attention
Zercurity has been acquired by JumpCloud.
This documentation will no longer be maintained or updated. You can read more about the acquisition, or signup to JumpCloud today.
appcompat_shims¶
Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. See http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf for more details.
Platform support¶
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: appcompat_shims
- Windows
Table schema¶
Name | Type | Description |
---|---|---|
executable | TEXT | Name of the executable that is being shimmed. This is pulled from the registry. |
path | TEXT | This is the path to the SDB database. |
description | TEXT | Description of the SDB. |
install_time | INTEGER | Install time of the SDB |
type | TEXT | Type of the SDB database. |
sdb_id | TEXT | Unique GUID of the SDB. |
Query examples¶
select * from appcompat_shims;