[Vol-users] No shimcache data found

Jamie Levy jamie.levy at gmail.com
Wed Jun 19 15:46:25 CDT 2013


It appears that is the case.  If you have the hive from disk you could
verify that the data is there, but wasn't accessible from the memory
sample.  If it is missing in the registry from disk then that would be
a different story.

All the best,

-gleeda


On Wed, Jun 19, 2013 at 3:22 PM, Brian Keefer <chort at effu.se> wrote:
> So in this case it comes back with:
> Values:
> REG_BINARY AppCompatCache : (S)
>
> and that's it. That would indicate that portion of the hive is swapped out?
>
> --
> chort
>
>
>
> On Jun 19, 2013, at 10:04 AM, Jamie Levy wrote:
>
>> The key/data is probably paged out, it happens sometimes.  You can
>> verify if there is anything there by examining the keys manually.
>>
>> First you should find the CurrentControlSet (or you can look at all of
>> them if you don't know) and then use printkey (assuming controlset is
>> ControlSet001):
>>
>> $ python vol.py -f [sample] --profile=Win7SP1x64 printkey -K
>> "ControlSet001\Control\Session Manager\AppCompatCache"
>>
>> Let me know if you find something.
>>
>> All the best,
>>
>> -gleeda
>>
>>
>>
>> On Wed, Jun 19, 2013 at 12:30 PM, Brian Keefer <chort at effu.se> wrote:
>>> I look at mostly Win7/64 systems and have always found shimcache data in memory images before. In the last several weeks only about 50% of the images I looked at had it. I'm running a 2.3 alpha build from a month or two ago (have been all this time).
>>>
>>> While not strictly a Volatility issue, could someone explain under what circumstances the data wouldn't be available? I'm not a Windows internals expert (yet, I have part 1 and part 2 on my bookshelf, waiting...)
>>>
>>> Thanks!
>>>
>>> --
>>> chort
>>>
>>>
>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users at volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
>>
>> --
>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92
>



-- 
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92


More information about the Vol-users mailing list