appcompat_shims

Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. See http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf for more details.

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: appcompat_shims

  • Windows

Table schema

Name

Type

Description

executable

TEXT

Name of the executable that is being shimmed. This is pulled from the registry.

path

TEXT

This is the path to the SDB database.

description

TEXT

Description of the SDB.

install_time

INTEGER

Install time of the SDB

type

TEXT

Type of the SDB database.

sdb_id

TEXT

Unique GUID of the SDB.

Query examples

select * from appcompat_shims;