appcompat_shims

Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. See http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf for more details.

Table schema

Name Type Description
executable TEXT Name of the executable that is being shimmed. This is pulled from the registry.
path TEXT This is the path to the SDB database.
description TEXT Description of the SDB.
install_time INTEGER Install time of the SDB
type TEXT Type of the SDB database.
sdb_id TEXT Unique GUID of the SDB.

Query examples

select * from appcompat_shims;