How to extract the shimcache from memory and disk images

This requires that you have a mounted image, or otherwise have an extracted SYSTEM hive or a memory dump.

Using you can get a list of executables, and depending on the version of Windows you also get the last modified time and if it has been executed or not. The shimcache is updated as soon as an executable touches the disk, is renamed, updated, overwritten or modified.

Grab the script from here:

The tool runs on Windows, so you’ll need Python 2.7 for Windows installed. Afterwards, run pip install python-registry to satisfy dependencies.

python -i /path/to/windows/system32/config/SYSTEM --bom -o shimcacheparser-results.csv

This file will list the content of the shimcache at the time of shutdown, as that is when it is written to disk. You can do the same on a memory dump to see what was in the cache when the machine was running:

volatility -f /path/to/memory/dump.001 --profile=<profile> output=csv --output-file=shimcachemem-results.csv -c shimcachemem 2>/dev/null

Check your version of Volatility, in the one you get from apt-get install the shimcachemem plugin is just called shimcache