TZWorks LLC
System Analysis and Programming
www.tzworks.com


TZWorks®
Windows AppCompatibility Cache Utility - wacu

(Version 0.52)



Information about our End User's License Agreements (EULAs)
for software on TZWorks, LLC Website www.tzworks.com

User Agreement

TZWorks LLC software and related documentation ("Software") is governed by separate licenses issued from TZWorks LLC. The User Agreement, Disclaimer, and/or Software may change from time to time. By continuing to use the Software after those changes become effective, you agree to be bound by all such changes. Permission to use the Software is granted provided that (1) use of such Software is in accordance with the license issued to you and (2) the Software is not resold, transferred or distributed to any other person or entity. Refer to your specific EULA issued to for your specific the terms and conditions. There are 3 types of licenses available: (i) for educational purposes, (ii) for demonstration and testing purposes and (iii) business and/or commercial purposes. Contact TZWorks LLC (info@tzworks.com) for more information regarding licensing and/or to obtain a license. To redistribute the Software, prior approval in writing is required from TZWorks LLC. The terms in your specific EULA do not give the user any rights in intellectual property or technology, but only a limited right to use the Software in accordance with the license issued to you. TZWorks LLC retains all rights to ownership of this Software.

Export Regulation

The Software is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations. The Export Control Classification Number (ECCN) for the Software is 5D002, subparagraph C.1. The user shall not, directly or indirectly, export, re-export or release the Software to, or make the Software accessible from, any jurisdiction or country to which export, re-export or release is prohibited by law, rule or regulation. The user shall comply with all applicable U.S. federal laws, regulations and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Software available outside the U.S.

Disclaimer

The user agrees that this Software made available by TZWorks LLC is experimental in nature and use of the Software is at user's sole risk. The Software could include technical inaccuracies or errors. Changes are periodically added to the information herein, and TZWorks LLC may make improvements and/or changes to Software and related documentation at any time. TZWorks LLC makes no representations about the accuracy or usability of the Software for any purpose.

ALL SOFTWARE ARE PROVIDED "AS IS" AND "WHERE IS" WITHOUT WARRANTY OF ANY KIND INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL TZWORKS LLC BE LIABLE FOR ANY KIND OF DAMAGE RESULTING FROM ANY CAUSE OR REASON, ARISING OUT OF IT IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE FROM THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY DAMAGES FROM ANY INACCURACIES, ERRORS, OR VIRUSES, FROM OR DURING THE USE OF THE SOFTWARE.

Removal

The Software are the original works of TZWorks LLC. However, to be in compliance with the Digital Millennium Copyright Act of 1998 ("DMCA") we agree to investigate and disable any material for infringement of copyright. Contact TZWorks LLC at email address: info@tzworks.com, regarding any DMCA concerns.


About the wacu Tool (top)

wacu is a command line tool that targets the Windows system registry hive AppCompatibility Cache subkey. It was designed to: (a) extract this type of data from the registry and archive the binary data to a file for later analysis, and (b) parse the target data from various sources (live or exported system hive, image of the system volume or from a file containing solely the binary data).

As background, the Application Compatibility Cache is used by the Windows operating system to help identify application compatibility issues with the goal of trying to resolve them so that legacy applications can run on the newer version of the operating system. A search through the registry will show this data is spread across a number of hives, including the user, system and software hives. The Windows operating system looks at the combination of data collected, and/or set by the user, to determine which applications require shims to be used for compatibility purposes.

For the case of wacu, only data from the system hive is analyzed. Specifically, wacu looks to one of the following registry subkeys identified below, depending on the version of the operating system:

	.. for WinXP ..
	HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility\AppCompatCache

	.. for versions above WinXP ..
	HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache

From a forensics standpoint, the data in the above subkeys gives the investigator insight into which applications were executed on the system. One should note, however, that the presence of a filename in this data does not necessarily mean that the file was executed. With this caveat, the data can be useful in tracking the initial infection vector of malware. This is because, if a user mode application was run on the system, the chances are good it was recorded in this cache data. For those user mode executables recorded, one gets the modification file time for the target binary along with other miscellaneous data.

To use this tool, an authentication file is required to be in the same directory as the binary in order for the tool to run.


How to use wacu (top)

Since wacu is a command line tool, one will need to open the command prompt. If trying to target a live registry hive, one needs to be running with admin privileges.

Below is the menu with the various options. Details of each option can be found here.

    Usage:
 
      wacu -livesys                       = parse from live target
      wacu -hive <system hive>            = parse from specified hive
      wacu -image <file> [-offset <vol>]  = use image as source
      wacu -vmdk "file1 | file2 | .."     = use VMWare VMDK vol
      wacu -binary <app compat file>      = parse raw data [16 MB max]
      wacu -extract <syshive> -out <file> = *** extract data into file
      wacu -vss <num>                     = Volume Shadow parse

     Basic options
      -csv                      = output in comma separated value format
      -csvl2t                   = log2timeline output
      -bodyfile                 = sleuthkit output

     Additional options
      -base10                   = output number in base10 vice hex output
      -hostname <name>          = output will contain this hostname
      -dateformat mm/dd/yyyy    = "yyyy-mm-dd" is the default
      -timeformat hh:mm:ss      = "hh:mm:ss.xxx" is the default
      -pair_datetime            = combine date/time into 1 field for csv
      -no_whitespace            = remove whitespace between csv delimiter
      -csv_separator "|"        = use a pipe char for csv separator
      -pipe                     = pipe hives into wacu for processing
      -pipe_binary              = *** pipe binary app compat files into wacu
      -inc_slack                = process any slack space (win8 only)
      -sort_by_name             = sort by path/file
      -filter <*partial*|*.ext> = filters stdin data from -pipe option
 
     Experimental options
      -all_controlsets          = process all ControlSets vice default

Targeting a live system

When targeting a live system, one only need use the -livesys switch and run with administrative privileges. Below is an example:

	wacu -livesys > results.txt

The above command will generate a file with a listing of entries recorded in the shim cache.

Targeting an Exported Hive

By using the -hive switch and passing in the desired system hive, one can analyzed an exported hive. In this mode, no special permissions are needed as long as read access is available to read the exported hive. Below is an example of the syntax:

	wacu -hive <system hive name> > results.txt

Targeting a 'dd' Image of an NTFS Volume or Disk

When processing a system hive from a system volume or disk, containing a system volume, one needs to specify the offset of the volume as part of the command. In those cases, where a 'dd' image was just of the system volume and not of the entire drive, the offset is zero. Below is an example of targeting a 'dd' image of the disk:

	wacu -image <name of image> -offset <system volume offset from start of disk> > results.txt

Targeting a VMWare drive with an NTFS system volume.

When processing a system hive from a VMWare monolithic NTFS formatted volume, one needs to consider what snapshot should be analyzed. The syntax shown below allows for several VMDK disks to be specified that make up one snapshot. Below is an example of how to chain 3 VMDK files together:

	wacu -vmdk "<disk1> | <disk2> | <disk3>" > results.txt

Other Switches

The above examples are the main ones on how to parse an exported hive, mounted volume containing a hive or an image containing a hive. There are various other switches that can be used to specify different formatting options. Those are outlined in a follow-up section.


Handling Volume Shadow Copies (top)

For starters, to access Volume Shadow copies, one needs to be running with administrator privileges. Also, it is important to note that, Volume Shadow copies as is discussed here, only applies to Windows Vista, Win7, Win8, and beyond. It does not apply to Windows XP.

There are 2 options available to pointing to the system hive on a Volume Shadow. The first option follows the format of the other tools and uses the built in shortcut syntax to access a specified Volume Shadow copy, via the %vss% keyword. This internally gets expanded into \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy. Thus, to access index 1 of the volume shadow copy, one would combine the keyword and index, index, (eg. %vss%1) in front of the normal path of the file. For example, to access system hive from the HarddiskVolumeShadowCopy1 snapshot, the following syntax can be used:

    wacu -hive %vss%1\Windows\System32\Config\System > results.txt

The second option uses the option -vss <index of volume shadow>, which tells wacu to pull the system hive from the Volume Shadow index specified and to parse it. Below is an example:

    wacu -vss 1  > results.txt

To determine which indexes are available from the various Volume Shadows, one can use the Windows built-in utility vssadmin, as follows:

    vssadmin list shadows

    -- or to filter out extraneous detail --
    
    vssadmin list shadows | find /i "volume"

While the amount of data can be voluminous from that above command, the keywords one needs to look for are names that look like this:


    Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
    Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
    ...

From the example above, notice the number after the word HarddiskvolumeShadowCopy. This would be the number that is passed as an argument to the previous options.


Understanding the output (top)

There are two main forms of output, both of which use one line per entry parsed. The default output is formatted text, where the fields are nicely space with a pipe delimiter between fields. This is useful when trying to view the output with just a notepad type application. The second output is the standard comma separated value (CSV) output, and it is invoked via the -csv switch.

One caveat with the CSV option, is since the field separators are commas, there is the possibility that filenames may have a comma(s) as part of their name. If this happens, than the field separators will be misaligned for that entry. Therefore, to maintain alignment of the data, wacu will internally replace any commas in the name to spaces. This behavior is only done if commas are used as the field delimiter. If this is a concern, one is recommended to change the default comma delimiter (in the -csv option) to a pipe '|' delimiter, via the -csv_separator "|" option.

The other thing to understand about the output is it varies depending on the version of the operating system the hive came from. This is because certain artifacts available in one version of Windows may or may not be available in another version of Windows, as it relates to AppCompatibility Cache artifacts. Therefore, the output generated will be a function of what version of Windows did the system hive originated from. Furthermore, some of the pieces of the data parsed is not fully understood (as far as what is the meaning of the data) by the forensics community at large. For these cases, the raw data will be shown along with a 'best guess' of the interpretation of the data. This guess is based on empirical results, and as more samples are observed over time, the better the refinement of the interpretation. Finally, to ensure clarity, this data will be identified as "experimental" in the column header.


List of options (top)

Option Description
-hive Use this specified target hive to process artifacts from. Syntax is -hive <hive file>
-livesys Targets the active system hive of the running computer. Requires administrative privileges.
-binary Parse the application cache raw data from a file. This assumes one has extracted just the data portion of the application cache from the appropriate registry value and saved it to a file. One can use the -extract option to do this. Syntax is -binary <app compat file>
-extract Extract just the application cache data from the system hive and save the binary data to a file. Syntax is -extract <system hive> -out <file to save data>
-image Extract application compatibility cache artifacts from a volume specified by an image and volume offset. The image is assumed to be in 'dd' (bit-for-bit identical) format to the original volume. The offset specified, should be the volume containing the Windows directory. The syntax is -image <filename> -offset <volume offset>
-vmdk Extract artifacts from a VMWare monolithic NTFS formatted volume. The syntax is -vmdk <disk name>. For a collection of VMWare disks that include snapshots, one can use the following syntax: -vmdk "<disk1> | <disk2> | ..."
-vss Experimental. Extract artifacts from Volume Shadow. The syntax is -vss <index number of shadow copy>. Only applies to Windows Vista, Win7, Win8 and beyond. Does not apply to Windows XP.
-csv Outputs the data fields delimited by commas. Since filenames can have commas, to ensure the fields are uniquely separated, any commas in the filenames get converted to spaces.
-csvl2t Outputs the data fields in accordance with the log2timeline format.
-bodyfile Outputs the data fields in accordance with the 'body-file' version3 specified in the SleuthKit. The date/timestamp outputted to the body-file is in terms of UTC. So if using the body-file in conjunction with the mactime.pl utility, one needs to set the environment variable TZ=UTC.
-base10 Ensure all size/address outputs are displayed in base-10 format versus hexadecimal format. Default is hexadecimal format.
-hostname Option is used to populate the output records with a specified hostname. The syntax is -hostname <name to use>.
-inc_slack Experimental option. If there is any slack in the application cache value in the registry, it will try to parse that data as well. Currently only works with Windows 8.
-sort_by_name Sorts the entries outputted by name vice sequence found in the data.
-pipe Used to pipe system hives into the tool via STDIN (standard input). Each system hive passed in is parsed in sequence.
-enumdir Experimental. Used to process files within a folder and/or subfolders. Each file is parsed in sequence. The syntax is -enumdir <"folder"> -num_subdirs <#>.
-filter Filters data passed in via stdin via the -pipe option. The syntax is -filter <"*.ext | *partialname* | ...">. The wildcard character '*' is restricted to either before the name or after the name.
-pipe_binary Used to pipe raw artifact data stored in separate files into the tool via STDIN (standard input). Assumes artifact data is in binary format.
-no_whitespace Used in conjunction with -csv option to remove any whitespace between the field value and the CSV separator.
-csv_separator Used in conjunction with the -csv option to change the CSV separator from the default comma to something else. Syntax is -csv_separator "|" to change the CSV separator to the pipe character. To use the tab as a separator, one can use the -csv_separator "tab" OR -csv_separator "\t" options.
-dateformat Output the date using the specified format. Default behavior is -dateformat "yyyy-mm-dd". Using this option allows one to adjust the format to mm/dd/yy, dd/mm/yy, etc. The restriction with this option is the forward slash (/) or dash (-) symbol needs to separate month, day and year and the month is in digit (1-12) form versus abbreviated name form.
-timeformat Output the time using the specified format. Default behavior is -timeformat "hh:mm:ss.xxx" One can adjust the format to microseconds, via "hh:mm:ss.xxxxxx" or nanoseconds, via "hh:mm:ss.xxxxxxxxx", or no fractional seconds, via "hh:mm:ss". The restrictions with this option is that a colon (:) symbol needs to separate hours, minutes and seconds, a period (.) symbol needs to separate the seconds and fractional seconds, and the repeating symbol 'x' is used to represent number of fractional seconds. (Note: the fractional seconds applies only to those time formats that have the appropriate precision available. The Windows internal filetime has, for example, 100 nsec unit precision available. The DOS time format and the UNIX 'time_t' format, however, have no fractional seconds). Some of the times represented by this tool may use a time format without fractional seconds and therefore will not show a greater precision beyond seconds when using this option.
-pair_datetime Output the date/time as 1 field vice 2 for csv option
-all_controlsets process all ControlSet00x's vice default, which is the CurrentControlSet
-utf8_bom All output is in Unicode UTF-8 format. If desired, one can prefix an UTF-8 byte order mark to the CSV output using this option.

CSV field definitions (top)

Field Definition
reg date Last modify date one of the entries in the parent key was modified
reg-UTC Last modify time in UTC one of the entries in the parent key was modified
file mod Date the application/library was modified in this entry
time-UTC (after file mod) Time the application/library was modified in this entry
entry index of the entry
flags1 First set of flags indicating specifics how the application should run
flags2 Second set of flags relating to shim parameters
meaning Translation of some of the flags
Path/file path/filename of the application/library this entry targets

Known Issues (top)

  1. If running on a Windows operating system post XP and running under admin permissions, any network shares established prior as a regular (non-admin) user, will be isolated from other accounts (including the admin account). This problem occurs because User Account Control (UAC) treats members of the Administrators group as standard users. Therefore, network shares that are mapped by logon scripts are shared with the standard user access token instead of with the full administrator access token.

Authentication and License File (top)

This tool has authentication built into the binary. The primary authentication mechanism is the digital X509 code signing certificate embedded into the binary (Windows and macOS).

The other mechanism is the runtime authentication, which applies to all the versions of the tools (Windows, Linux and macOS). The runtime authentication ensures that the tool has a valid license. The license needs to be in the same directory of the tool for it to authenticate. Furthermore, any modification to the license, either to its name or contents, will invalidate the license.

Limited versus Demo versus Full in the tool's output banner

The tools from TZWorks will output header information about the tool's version and whether it is running in limited, demo or full mode. This is directly related to what version of a license the tool authenticates with. The limited and demo keywords indicates some functionality of the tool is not available, and the full keyword indicates all the functionality is available. The lacking functionality in the limited or demo versions may mean one or all of the following: (a) certain options may not be available, (b) certain data may not be outputted in the parsed results, and (c) the license has a finite lifetime before expiring.


Version history (top)


References (top)

  1. Leveraging the Application Compatibility Cache in Forensic Investigations, by Andrew Davis, Mandiant
  2. http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx
  3. http://www.alex-ionescu.com/?p=41