appcompat_shims

Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. See http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf for more details.

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: appcompat_shims

  • Windows

Table schema

Name Type Description
executable TEXT Name of the executable that is being shimmed. This is pulled from the registry.
path TEXT This is the path to the SDB database.
description TEXT Description of the SDB.
install_time INTEGER Install time of the SDB
type TEXT Type of the SDB database.
sdb_id TEXT Unique GUID of the SDB.

Query examples

select * from appcompat_shims;