anyone know of an extension that exposes appcompat amcachehi

Question

anyone know of an extension that exposes appcompat amcachehive entries as a table

Mike Myers · Answer

The Windows appcompat database I don t know of an extension like that Does Microsoft have an API to enumerate the AppCompat shims or just the optional download for the Application Compatibility Toolkit

Mike Myers · Answer

~Maybe you could use the existing osquery tables and read the keys HKLM SOFTWARE Microsoft Windows NT CurrentVersion AppCompatFlags Custom and HKLM SOFTWARE Microsoft Windows NT CurrentVersion AppCompatFlags InstalledSDB ~

Mike Myers · Answer

Or use the `ntfs journal events` table to watch for files created in the default shim database directories of C Windows AppPatch Custom and C Windows AppPatch Custom Custom64

Mike Myers · Answer

Oh wait I see there s already an `appcompat shims` table in osquery <https osquery io schema 4 4 0 appcompat shims>

puffycid · Answer

Appcompat shimcache entries were just added to osquery <https github com osquery osquery commit 336e6b075f6f84033b534c4d67f4c80a47083363|https github com osquery osquery commit 336e6b075f6f84033b534c4d67f4c80a47083363>