[Vol-users] No shimcache data found

Brian Keefer chort at effu.se
Wed Jun 19 14:22:06 CDT 2013


So in this case it comes back with:
Values:
REG_BINARY AppCompatCache : (S)

and that's it. That would indicate that portion of the hive is swapped out?

--
chort



On Jun 19, 2013, at 10:04 AM, Jamie Levy wrote:

> The key/data is probably paged out, it happens sometimes.  You can
> verify if there is anything there by examining the keys manually.
> 
> First you should find the CurrentControlSet (or you can look at all of
> them if you don't know) and then use printkey (assuming controlset is
> ControlSet001):
> 
> $ python vol.py -f [sample] --profile=Win7SP1x64 printkey -K
> "ControlSet001\Control\Session Manager\AppCompatCache"
> 
> Let me know if you find something.
> 
> All the best,
> 
> -gleeda
> 
> 
> 
> On Wed, Jun 19, 2013 at 12:30 PM, Brian Keefer <chort at effu.se> wrote:
>> I look at mostly Win7/64 systems and have always found shimcache data in memory images before. In the last several weeks only about 50% of the images I looked at had it. I'm running a 2.3 alpha build from a month or two ago (have been all this time).
>> 
>> While not strictly a Volatility issue, could someone explain under what circumstances the data wouldn't be available? I'm not a Windows internals expert (yet, I have part 1 and part 2 on my bookshelf, waiting...)
>> 
>> Thanks!
>> 
>> --
>> chort
>> 
>> 
>> 
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 
> 
> 
> -- 
> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92



More information about the Vol-users mailing list