Incident Response with EZTools - ShimCache Forensics

SDB Explorer is bundled with EZTools. This tool displays the Shim Database in a GUI-based format.

Shims are a library that transparently intercepts API calls and changes the arguments passed, handles the operation itself or redirects the operation elsewhere, and are also mainly used for compatibility purposes for legacy applications.

During an incident, shims can serve a legitimate purpose. This can also be used in a malicious way. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.


A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:

%WINDIR%\AppPatch\sysmain.sdb and HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\appcompatflags\installedsdb

Custom databases are stored in:

%WINDIR%\AppPatch\Custom & %WINDIR%\AppPatch\AppPatch64\Custom

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\Current Version\appcompatflags\custom

 Below is the SDB Explorer User Interface

Let's Talk About ShimCache - The Most Misunderstood Artifact