[Vol-users] No shimcache data found

Jamie Levy jamie.levy at gmail.com
Wed Jun 19 12:04:19 CDT 2013


The key/data is probably paged out, it happens sometimes.  You can
verify if there is anything there by examining the keys manually.

First you should find the CurrentControlSet (or you can look at all of
them if you don't know) and then use printkey (assuming controlset is
ControlSet001):

$ python vol.py -f [sample] --profile=Win7SP1x64 printkey -K
"ControlSet001\Control\Session Manager\AppCompatCache"

Let me know if you find something.

All the best,

-gleeda



On Wed, Jun 19, 2013 at 12:30 PM, Brian Keefer <chort at effu.se> wrote:
> I look at mostly Win7/64 systems and have always found shimcache data in memory images before. In the last several weeks only about 50% of the images I looked at had it. I'm running a 2.3 alpha build from a month or two ago (have been all this time).
>
> While not strictly a Volatility issue, could someone explain under what circumstances the data wouldn't be available? I'm not a Windows internals expert (yet, I have part 1 and part 2 on my bookshelf, waiting...)
>
> Thanks!
>
> --
> chort
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users



-- 
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92


More information about the Vol-users mailing list