ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Analyzing Program Execution" and "Windows Application Compatibility"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Windows)
 
(sysmain.sdb)
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
  
This article is intended to give a high-level overview of analyzing program execution on the various operating systems.
+
== sysmain.sdb ==
 +
System compatibility database.
  
== Linux ==
+
== RecentFileCache.bcf ==
 +
In Windows 7 the RecentFileCache.bcf file is stored in:
 +
<pre>
 +
C:\Windows\AppCompat\Programs\
 +
</pre>
  
== Mac OS X ==
+
== Amcache.hve ==
 +
The Amcache.hve file is a [[Windows NT Registry File (REGF)]].
  
== Windows ==
+
In Windows 8 the Amcache.hve file is stored in:
 +
<pre>
 +
C:\Windows\AppCompat\Programs\
 +
</pre>
  
== See Also ==
+
== AppCompatCache ==
* [[Memory analysis]]
+
In Windows 2000 and XP:
 +
<pre>
 +
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility
 +
</pre>
  
=== Linux ===
+
In Windows 2003 and later:
* [[Linux Memory Analysis]]
+
<pre>
 
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
=== Mac OS X ===
+
</pre>
* [[Mac OS X Memory Analysis]]
+
* Plists
+
** [[Mac OS X#Launch Agents|Launch Agents]]
+
** [[Mac OS X#Launch Daemons|Launch Daemons]]
+
 
+
=== Windows ===
+
* Program crashes
+
** Windows Error Reporting (WER)
+
** Minidumps
+
* Services and drivers
+
* UserAssist Registry key
+
* [[Windows Application Compatibility]]
+
** RecentFileCache.bcf
+
** Amcache.hve
+
** AppCompatCache Registry key
+
* [[Windows Memory Analysis]]
+
* Windows PC Accelerators
+
* [[Prefetch]]
+
* [[ReadyBoot]]
+
* [[ReadyBoost]]
+
* [[ReadyDrive]]
+
* [[SuperFetch]]
+
* [[Windows Registry#Run/RunOnce|Run/RunOnce Registry keys]] (and equivalents)
+
* Windows Task Scheduler
+
** [[Windows Job File Format|Job files]]
+
** TaskCache Registry key
+
  
 
== External Links ==
 
== External Links ==
=== Windows ===
+
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
* [http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html HowTo: Determine Program Execution], by [[Harlan Carvey]], July 06, 2013
+
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
* [http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html It Is All About Program Execution], by [[Corey Harrell]], January 14, 2014
+
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
* [http://sysforensics.org/2014/01/know-your-windows-processes.html Know your Windows Processes or Die Trying], by [[Patrick Olsen]], January 18, 2014
+
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
 
+
* [http://www.alex-ionescu.com/?p=41 Secrets of the Application Compatilibity Database (SDB) – Part 3], by [[Alex Ionescu]], May 26, 2007
[[Category:Analysis]]
+
* [http://recxltd.blogspot.com/2012/04/windows-appcompat-research-notes-part-1.html Windows AppCompat Research Notes - Part 1], by Ollie, 28 April 2012
 +
* [http://recxltd.blogspot.com/2012/05/windows-appcompat-research-notes-part-2.html Windows AppCompat Research Notes - Part 2], by Ollie, 4 May 2012
 +
* [https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
 +
* [http://journeyintoir.blogspot.ch/2013/12/revealing-recentfilecachebcf-file.html Revealing the RecentFileCache.bcf File], by [[Corey Harrell]], December 2, 2013
 +
* [http://journeyintoir.blogspot.ch/2013/12/revealing-program-compatibility.html Revealing Program Compatibility Assistant HKCU AppCompatFlags Registry Keys], by [[Corey Harrell]], December 17, 2013
 +
* [http://journeyintoir.blogspot.ch/2014/04/triaging-with-recentfilecachebcf-file.html Triaging with the RecentFileCache.bcf File], by [[Corey Harrell]], April 21, 2014

Revision as of 05:06, 9 July 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

sysmain.sdb

System compatibility database.

RecentFileCache.bcf

In Windows 7 the RecentFileCache.bcf file is stored in:

C:\Windows\AppCompat\Programs\

Amcache.hve

The Amcache.hve file is a Windows NT Registry File (REGF).

In Windows 8 the Amcache.hve file is stored in:

C:\Windows\AppCompat\Programs\

AppCompatCache

In Windows 2000 and XP:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility

In Windows 2003 and later:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

External Links