|
gptkbp:instanceOf
|
Windows artifact
|
|
gptkbp:alsoKnownAs
|
Application Compatibility Cache
|
|
gptkbp:analyzes
|
digital forensics experts
|
|
gptkbp:canBeParsedBy
|
AppCompatCacheParser
Eric Zimmerman's AppCompatCacheParser
ShimCacheParser
|
|
gptkbp:category
|
Incident response
Digital forensics
Windows registry artifacts
|
|
gptkbp:compatibleWith
|
exact execution time
|
|
gptkbp:forensicValue
|
tracks program execution
|
|
https://www.w3.org/2000/01/rdf-schema#label
|
Shimcache
|
|
gptkbp:introducedIn
|
gptkb:Windows_XP
|
|
gptkbp:location
|
gptkb:Windows_Registry
|
|
gptkbp:mayInclude
|
file size
execution flag
file path
last modified time
|
|
gptkbp:numberOfLocations
|
metadata about executed programs
|
|
gptkbp:presentIn
|
gptkb:Windows_8
gptkb:Windows_10
gptkb:Windows_7
gptkb:Windows_Vista
gptkb:Windows_Server_2003
gptkb:Windows_Server_2008
gptkb:Windows_Server_2012
gptkb:Windows_Server_2016
|
|
gptkbp:registryPath
|
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache
|
|
gptkbp:removes
|
system reboot (in some versions)
|
|
gptkbp:usedBy
|
gptkb:Microsoft_Windows
|
|
gptkbp:bfsParent
|
gptkb:KAPE
|
|
gptkbp:bfsLayer
|
8
|