Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

anyone know of an extension that exposes appcompat/amcachehive entries as a table?

The Windows appcompat database? I don't know of an extension like that. Does Microsoft have an API to enumerate the AppCompat shims, or just the optional download for the Application Compatibility Toolkit?

~Maybe you could use the existing osquery tables and read the keys “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom” and “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB”~

Or use the `ntfs_journal_events` table to watch for files created in the default shim database directories of “C:\Windows\AppPatch\Custom” and “C:\Windows\AppPatch\Custom\Custom64”

Oh wait I see there's already an `appcompat_shims` table in osquery <https://osquery.io/schema/4.4.0/#appcompat_shims>

Appcompat/shimcache entries were just added to osquery
<https://github.com/osquery/osquery/commit/336e6b075f6f84033b534c4d67f4c80a47083363|https://github.com/osquery/osquery/commit/336e6b075f6f84033b534c4d67f4c80a47083363>