Incident Response with EZTools - ShimCache Forensics
SDB Explorer is bundled with EZTools. This tool displays the Shim Database in a GUI-based format.
Shims are a library that transparently intercepts API calls and changes the arguments passed, handles the operation itself or redirects the operation elsewhere, and are also mainly used for compatibility purposes for legacy applications.
During an incident, shims can serve a legitimate purpose. This can also be used in a malicious way. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:
%WINDIR%\AppPatch\sysmain.sdb and HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\appcompatflags\installedsdb
Custom databases are stored in:
%WINDIR%\AppPatch\Custom & %WINDIR%\AppPatch\AppPatch64\Custom
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\Current Version\appcompatflags\custom
Below is the SDB Explorer User Interface
