The Application Compatibility Cache service is a feature of Windows that helps to improve the performance and compatibility of applications on the operating system. It works by storing information about the applications that have been executed on the system, such as their file paths, last modified dates, sizes, and compatibility modes. This information is stored in the registry under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache. The service periodically updates the cache with new entries and removes old ones based on a predefined algorithm.
The Application Compatibility Cache service can provide useful information for incident responders who are investigating a system for malicious activity or evidence of compromise. The cache can reveal what applications have been run on the system, when they were run, and how they were run. This can help to identify suspicious or unknown applications, determine the timeline of events, and correlate the activity with other sources of evidence, such as event logs, file system artifacts, and network traffic.
Some of the benefits of using the Application Compatibility Cache service for incident response are:
- It can provide information about applications that have been deleted or renamed from the file system, since the cache stores the original file path and name of the application.
- It can provide information about applications that have been executed from removable media, such as USB drives or optical discs, since the cache stores the full file path and drive letter of the application.
- It can provide information about applications that have been executed from network shares or cloud storage services, such as OneDrive or Dropbox, since the cache stores the UNC path or URL of the application.
- It can provide information about applications that have been executed with different compatibility modes, such as Windows 7 or Windows XP, since the cache stores the compatibility mode flag for each application.
- It can provide information about applications that have been executed with different privileges, such as administrator or user, since the cache stores the security identifier (SID) of the user who ran the application.
However, there are also some limitations and challenges of using the Application Compatibility Cache service for incident response, such as:
- The cache does not store information about all applications that have been executed on the system, only those that have triggered a compatibility check by the service. This means that some applications may not appear in the cache at all, or may appear only after a certain number of executions.
- The cache does not store information about the parameters or arguments that have been passed to the applications, only their file paths and names. This means that some details about how the applications were run may be missing or incomplete.
- The cache does not store information about the dates and times that the applications were executed, only their last modified dates and sizes. This means that some temporal information may be inaccurate or unreliable.
- The cache is updated and pruned by the service according to a complex algorithm that depends on various factors, such as the number of entries, the size of each entry, and the frequency of execution. This means that some entries may be overwritten or deleted from the cache over time, reducing their availability and persistence.
- The cache is stored in a binary format in the registry that is not easily readable or accessible by standard tools. This means that specialized tools or scripts are required to parse and analyse the cache data.
Incident responders should use the Application Compatibility Cache service as one of many sources of evidence when investigating a system for malicious activity or evidence of compromise. They should also verify and corroborate their findings with other sources of evidence and use appropriate tools and techniques to extract and interpret the cache data.
You can find out more about how you can use the AppCompatCache to support incident response on the fantastic FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics course - https://sans.org/for508.
