Windows AppCompatibility Cache Utility (wacu)

Introduction

wacu is a command line tool that targets the Windows system registry hive AppCompatibility Cache subkey. It was designed to: (a) extract this type of data from the registry and archive the binary data to a file for later analysis and (b) parse the target data from various sources (live or exported system hive, image of the system volume or from a file containing solely the binary data).

As background, the Application Compatibility Cache is used by the Windows operating system to help identify application compatibility issues with the goal of trying to resolve them, so legacy applications can run on the newer version of the operating system. A search through the registry will show this data is spread across a number of hives, including the user, system and software hives. The Windows operating system looks at the combination of data collected, and/or set by the user, to determine which applications require shims to be used for compatibility purposes.

For the case of wacu, only data from the system hive is analyzed. Specifically, wacu looks to one of the following registry subkeys identified below, depending on the version of the operating system:

	.. for WinXP ..
	HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility\AppCompatCache

	.. for versions above WinXP ..
	HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache

From a forensics standpoint, the data in the above subkeys gives the investigator insight into which applications were executed on the system. One should note, however, that the presence of a filename in this data does not necessarily mean that the file was executed. With this caveat, the data can be useful in tracking the initial infection vector of malware. This is because, if a user mode application was run on the system, the chances are good it was recorded in this cache data. For those user mode executables recorded, one gets the modification file time for the target binary along with other miscellaneous data.

How to use wacu

wacu has a number of command line switches that can be displayed at the command prompt. Below is a screen shot of these options.

cmd prompt menu

When running wacu on a Windows machine, one can access that machine's system hive directly by using the -livesys switch. For this case, one needs to be run wacu with administrator privileges.

Other options are designed to work on either extracted system hives or NTFS system volume images that contain a system hive. When working with images, one needs to use the offset of the system volume containing the registry hives. The switches for this are -image <image name> and -offset <offset address>.

For the analyst wanting to perform a more detailed analysis on the raw data, wacu has an -extract option to pull the raw AppCompatibility Cache data from the system hive into a designated file. This allows further analysis using one’s own parser, if desired. Furthermore, if one has a binary file of AppCompatibility Cache raw data (perhaps from a memory dump), one can parse the data with the -binary <file containing raw data> switch.

Understanding the Output

There are two main forms of output, both of which use one line per entry parsed. The default output is formatted text, where the fields are nicely space with a pipe delimiter between fields. This is useful when trying to view the output with just a notepad type application. The second output is the standard comma separated value (CSV) output, and it is invoked via the -csv switch.

The other thing to understand about the output is it varies depending on the version of the operating system the hive came from. This is because certain artifacts available in one version of Windows may or may not be available in another version of Windows, as it relates to AppCompatibility Cache artifacts. Therefore, the output generated will be a function of what version of Windows did the system hive originated from. Furthermore, some of the pieces of the data parsed is not fully understood (as far as what is the meaning of the data) by the forensics community at large. For these cases, the raw data will be shown along with a 'best guess' of the interpretation of the data. This guess is based on empirical results, and as more samples are observed over time, the better the refinement of the interpretation. Finally, to ensure clarity, this data will be identified as "experimental" in the column header.

Below are two examples. The first is the output from a Windows XP image used in the older forensics 408 class taught by SANS Institute (xp_dbake.dd). The second example demonstrates the parsing of the system hive from a live Windows 7, 64 bit system. Note the differences in the output between the two operating systems. In the Windows XP case, the entries have an artifact for ordering as well as the file size of the target binary. In the Windows 7 case, these entries are not present, however, two other entries designated as flags are, along with a 'best guess' of the meaning of those flags.

WinXP image parse
Win7 livesys parse

Slack Space in the AppCompatibility Cache

Since the size allocated in the system hive for the AppCompatibility Cache is rather large compared to the rest of the registry, the potential for large slack space is more probable. Slack space defined here is the left over (unused space) that was allocated for that hive cell. To see this visually, one can use yaru v1.29 or above and navigate to the appropriate location. After scrolling towards the end of the data dump, one should see a hexdump for cell slack space. For this particular hive, there was space to hold 3 additional entries. Below is an example screenshot when looking at a Windows 8 system hive.

Due to the structure of the AppCompatibility Cache on Windows 8 and Server 2012, wacu can sparse these entries (on a best effort basis), using the -inc_slack switch.

Win8 slack parse

For more information

The user's guide can be viewed here

If you would like more information about wacu, contact us via email.

Downloads

32-bit Version64-bit Version
Windows:wacu32.v.0.37.win.zipwacu64.v.0.37.win.zipmd5/sha1
Linux:wacu32.v.0.37.lin.tar.gzwacu64.v.0.37.lin.tar.gzmd5/sha1
Mac OS X:wacu.v.0.37.osx.tar.gzwacu.v.0.37.osx.tar.gzmd5/sha1
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.