defensivedepth
11/23/2022, 3:01 PMshimcache
table - is this expected?Mike Myers
11/23/2022, 4:38 PMdefensivedepth
11/23/2022, 7:56 PMappcompat_shims
table looks for app compatibility shims.
The shimcache
table uses a byproduct of the appcompat shim functionality, which is a listing of recently executed apps
I've tested the shimcache
table on multiple W10 systems and I am seeing the same duplicate results.
Looking at the shimcache
code, it looks like it is pulling from multiple places in the registry & not de-duping the resulting data: https://github.com/osquery/osquery/blob/master/osquery/tables/system/windows/shimcache.cpp#L35
In fact, CurrentControlSet
is a pointer to the currently used ControlSet001
So I'm thinking this wildcard that is in use %ControlSet%
is causing the duplicates.seph
11/25/2022, 11:53 AMdefensivedepth
11/28/2022, 1:10 PM%ControlSet%
to ControlSet%
would only match:
HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\AppCompatCache
but it appears it is still matching that and this one:
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache
What am I missing?seph
11/28/2022, 2:11 PMHKEY_LOCAL_MACHINE\\SYSTEM\\
I’d have to test with code, but I’d expect you to be able to match the \
there. Something like %\\
. But I’m not totally sure how escaping it would work. (\\
or \\\\
? I dunno)_
matches a single character, while %
matches any range of characters. This can be used to more narrowly create a filterdefensivedepth
11/28/2022, 2:43 PMseph
11/28/2022, 2:51 PM"HKEY_LOCAL_MACHINE\\SYSTEM\\%ControlSet%\\Control\\Session Manager\\AppCompatCache"
to "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet%\\Control\\Session Manager\\AppCompatCache"
And still got CurrentControlSet
?defensivedepth
11/28/2022, 3:40 PMseph
11/28/2022, 3:41 PMdefensivedepth
11/28/2022, 3:41 PMseph
11/28/2022, 3:45 PMdefensivedepth
11/28/2022, 3:49 PMMike Myers
11/28/2022, 4:44 PMCurrentControlSet
is a symbolic link to either `ControlSet001`or ControlSet002
and Windows alternates which one of those it is. The other key is a backup for a "Last Known Good" feature.CurrentControlSet
.bug
and then the desired/expected behavior. One of us can at least confirm.seph
11/28/2022, 4:58 PMzwass
11/28/2022, 5:04 PMMike Myers
11/28/2022, 8:46 PMMarcos Oviedo
11/28/2022, 11:15 PMCurrentControlSet
is a symbolic link to ControlSet001
or ControlSet002
. I couldn't find an easy way to show that through PowerShell so I ended up relying on TotalRegistry tool to show that registry symbolic link (screenshot below). There is also this old link with more information on this.
I think the code should just check CurrentControlSet
as this subkey reflects the current state of the systemdefensivedepth
11/29/2022, 1:26 PMnow minus uptime
I think pulling just from CurrentControlSet
is a good place to land - if that is agreeable, I can submit a PR for that. We should also notate that in the schema notes.Marcos Oviedo
11/29/2022, 11:02 PMdefensivedepth
11/30/2022, 12:53 PMMarcos Oviedo
11/30/2022, 1:44 PMdefensivedepth
11/30/2022, 1:46 PM