Security Slice

AppCompatCacheParser

AppCompatCacheParser

Description

Parses appcompatchcache entries from the SYSTEM hive.

PlatformWindows
AuthorEric Zimmerman
LicenseMIT License
URLAppCompatCacheParser

Usage

AppCompatCache Parser version 1.4.4.0

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/AppCompatCacheParser

        c               The ControlSet to parse. Default is to extract all control sets.
        f               Full path to SYSTEM hive to process. If this option is not specified, the live Registry will be used
        t               Sorts last modified timestamps in descending order

        csv             Directory to save CSV formatted results to. Required
        csvf            File name to save CSV formatted results to. When present, overrides default name

        debug           Debug mode
        dt              The custom date/time format to use when displaying timestamps. See https://goo.gl/CNVq0k for options. Default is: yyyy-MM-dd HH:mm:ss
        nl              When true, ignore transaction log files for dirty hives. Default is FALSE

Examples: AppCompatCacheParser.exe --csv c:\temp -t -c 2
          AppCompatCacheParser.exe --csv c:\temp --csvf results.csv

          Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes

Examples

appcompatcacheparser -f SYSTEM.hve –csv C:\windows\temp

This command will search the SYSTEM hive for AppCompatCache results and save them to CSV formatted file in the Temp directory.

Blog Posts