Application compatibility cache
The Application compatibility cache can be found in the following Windows Registry keys.
In Windows 2000 and XP:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility
In Windows 2003 and later:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
Note that several sources claim that the Application Compatibility Cache is part of the Application Compatibility Database. However unfortunately these claims are not backed by sources or facts. Since the previous article does not mention the relationship between the cache and the database, this document the Application Compatibility Cache to part of the Windows Application Compatibility subsystem instead.
Note that the actual difference between the Application Compatibility Cache and Shim (Database) Cache is currently unknown. Be aware that in other sources the terms can be used interchangeable. Since MSDN explicitly defines BaseFlushAppcompatCache and ShimFlushCache, there is likely a subtle difference to what data is cached. Also see: Understanding Shims.
Windows 2000
Windows 2000 stores Application Compatibility related data in subkeys in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility
At this time it is unclear if these subkeys serve the same purpose as the AppCompatCache value in later versions of Windows.
The subkeys are named as the executable files e.g. Uninstall.exe and have been
seen to contain the following values:
| Name | Data type | Description |
|---|---|---|
| %NAME% | Unknown (seen: x, 462) | |
| DllPatch-%NAME% | Unknown |
Also seen values named like 00008 WindowsNT4.0.
Windows 2000 unknown value
The Windows 2000 unknown value is variable of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 4 | 0x0000000c | Unknown 1 (header size?) |
| 4 | 4 | Unknown 2 (empty values) | |
| 8 | 4 | Unknown 3 | |
| 12 | 4 | Unknown 4 |
Contains additional data if “Unknown 4 > 0”
Empty?
00000000 0c 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 |................|
With data:
00000000 0c 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 |................|
00000010 10 00 00 00 00 00 00 00 00 00 15 00 ff ff ff ff |................|
00000020 ff ff ff ff 0f 00 00 00 |........(...A.u.|
Sting byte size followed by string:
00000020 28 00 00 00 41 00 75 00 |........(...A.u.|
00000030 74 00 6f 00 43 00 41 00 44 00 20 00 41 00 70 00 |t.o.C.A.D. .A.p.|
00000040 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 |p.l.i.c.a.t.i.o.|
00000050 6e 00 00 00 |n.......|
00000050 00 00 00 00 |n.......|
Windows 2000 DllPatch value
The Windows 2000 DllPatch value is variable of size and contains an UTF-16 little-endian formatted string with end-of-string character e.g. ‘shcmn.dll 7’.
It is currently unclear what the trailing number represents.
Windows XP
Windows XP stores the application compatibility cache in the value: AppCompatCache.
The value data consists of:
header
array of LRU cache entry index values
array of cache entries (suggested that the maximum is 92)
Note that 64-bit versions of Windows XP will use the Windows 2003 64-bit format.
Windows XP application compat cache header
The Windows XP application compat cache header is 400 bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 4 | 0xef, 0xbe, 0xad, 0xde | Signature |
| 4 | 4 | Number of cached entries | |
| 8 | 4 | Number of LRU array entries | |
| 12 | 4 | Unknown (empty values) | |
| 16 | ... | LRU array Contains 32-bit value of the index within the array of cache entries Currently it is unclear if the top or the bottom of the array is the LRU |
|
| ... | ... | Unknown (padding?) Contains 0-byte values |
Windows XP 32-bit application compat cache entry
The Windows XP 32-bit application compat cache entry is 552 bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 2 x ( MAX_PATH + 4 ) = 528 | Path UTF-16 little-endian string with end-of-character Note that the unused bytes can contain remnant data |
|
| 528 | 8 | Last modification time Contains a FILETIME |
|
| 536 | 8 | File size | |
| 544 | 8 | Last update time Contains a FILETIME |
Note that the last modification time applies to that of the file e.g. for NTFS this is the last modified time of the file as stored in the $STANDARD_INFORMATION attribute.
Windows 2003
Windows 2003 stores the application compatibility cache in the value: AppCompatCache
The value data consists of:
header
array of cache entries (suggested that the maximum is 512)
string data
Windows 2003 application compat cache header
The Windows 2003 application compat cache header is 8 bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 4 | 0xfe, 0x0f, 0xdc, 0xba | Signature |
| 4 | 4 | Number of cached entries |
Windows 2003 32-bit application compat cache entry
The Windows 2003 32-bit application compat cache entry is 24 bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 2 | Path size | |
| 2 | 2 | Maximum path size | |
| 4 | 4 | Path offset The offset value is relative to the start of the header |
|
| 8 | 8 | Last modification time Contains a FILETIME |
|
| 16 | 8 | File size |
Note that the last modification time applies to that of the file e.g. for NTFS this is the last modified time of the file as stored in the $STANDARD_INFORMATION attribute.
Windows 2003 64-bit application compat cache entry
The Windows 2003 64-bit application compat cache entry is 32 bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 2 | Path size | |
| 2 | 2 | Maximum path size | |
| 4 | 4 | Unknown (padding) | |
| 8 | 8 | Path offset The offset value is relative to the start of the header |
|
| 16 | 8 | Last modification time Contains a FILETIME |
|
| 24 | 8 | File size |
Note that the last modification time applies to that of the file e.g. for NTFS this is the last modified time of the file as stored in the $STANDARD_INFORMATION attribute.
Windows Vista and 2008
Windows Vista and 2008 store the application compatibility cache in the value: AppCompatCache
The value data consists of:
header
array of cache entries (suggested that the maximum is 1024)
string data
[NOTE] If the cache is empty it will only consists of a header.
Windows Vista application compat cache header
The Windows Vista application compat cache header is 8 bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 4 | 0xfe, 0x0f, 0xdc, 0xba | Signature |
| 4 | 4 | Number of cached entries |
Windows Vista 32-bit application compat cache entry
The Windows Vista 32-bit application compat cache entry is 24 bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 2 | Path size | |
| 2 | 2 | Maximum path size | |
| 4 | 4 | Path offset The offset value is relative to the start of the header |
|
| 8 | 8 | Last modification time Contains a FILETIME |
|
| 16 | 4 | Insertion flags | |
| 20 | 4 | Shim flags |
Note that the last modification time applies to that of the file e.g. for NTFS this is the last modified time of the file as stored in the $STANDARD_INFORMATION attribute.
Windows Vista 64-bit application compat cache entry
The Windows Vista 64-bit application compat cache entry is 32 bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 2 | Path size | |
| 2 | 2 | Maximum path size | |
| 4 | 4 | Unknown (padding) | |
| 8 | 8 | Path offset The offset value is relative to the start of the header |
|
| 16 | 8 | Last modification time Contains a FILETIME |
|
| 24 | 4 | Insertion flags | |
| 28 | 4 | Shim flags |
Note that the last modification time applies to that of the file e.g. for NTFS this is the last modified time of the file as stored in the $STANDARD_INFORMATION attribute.
Windows 7 and 2008 R2
Windows 7 and 2008 R2 store the application compatibility cache in the value: AppCompatCache
The value data consists of:
header
array of cache entries (suggested that the maximum is 1024)
data
string data
Windows 7 application compat cache header
The Windows 7 application compat cache header is 128 bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 4 | 0xee, 0x0f, 0xdc, 0xba | Signature |
| 4 | 4 | Number of cached entries | |
| 8 | 4 | 120 | Unknown (size?) |
| 12 | 116 | Unknown (cache statistics?) |
Windows 7 32-bit application compat cache entry
The Windows 7 32-bit application compat cache entry is 32 bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 2 | Path size The byte of the path without the end-of-string character |
|
| 2 | 2 | Maximum path size The byte of the path with the end-of-string character |
|
| 4 | 4 | Path offset The offset value is relative to the start of the header |
|
| 8 | 8 | Last modification time Contains a FILETIME |
|
| 16 | 4 | Insertion flags | |
| 20 | 4 | Shim flags | |
| 24 | 4 | Data size | |
| 28 | 4 | Data offset The offset value is relative to the start of the header |
Note that the last modification time applies to that of the file e.g. for NTFS this is the last modified time of the file as stored in the $STANDARD_INFORMATION attribute.
Windows 7 64-bit application compat cache entry
The Windows 7 64-bit application compat cache entry is 48 bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 2 | Path size The byte of the path without the end-of-string character |
|
| 2 | 2 | Maximum path size The byte of the path with the end-of-string character |
|
| 4 | 4 | Unknown (padding) | |
| 8 | 8 | Path offset The offset value is relative to the start of the header |
|
| 16 | 8 | Last modification time Contains a FILETIME |
|
| 24 | 4 | Insertion flags | |
| 28 | 4 | Shim flags | |
| 32 | 8 | Data size | |
| 40 | 8 | Data offset The offset value is relative to the start of the header |
Note that the last modification time applies to that of the file e.g. for NTFS this is the last modified time of the file as stored in the $STANDARD_INFORMATION attribute.
Windows 8
Windows 8 store the application compatibility cache in the value: AppCompatCache
The value data consists of:
header
array of cache entries
Windows 8 application compat cache header
The Windows 8 application compat cache header is 128 bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 4 | 128 | Header size (or cache entry array offset) |
| 4 | 4 | Unknown | |
| 8 | 120 | Unknown |
Windows 8.0 application compat cache entry
The Windows 8.0 application compat cache entry is variable bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 4 | "00ts" | Signature |
| 4 | 4 | Unknown | |
| 8 | 4 | Cache entry data size The size of the cache entry without the first 12 bytes |
|
| 12 | 2 | Path size | |
| 14 | ... | Path UTF-16 little-endian string without end-of-character |
|
| ... | 4 | Unknown (Insertion flags?) | |
| ... | 4 | Unknown (Shim flags?) | |
| ... | 8 | Last modification time Contains a FILETIME |
|
| ... | 4 | Data size | |
| ... | ... | Data |
Note that the last modification time applies to that of the file e.g. for NTFS this is the last modified time of the file as stored in the $STANDARD_INFORMATION attribute.
Windows 8.1 application compat cache entry
The Windows 8.1 application compat cache entry is variable bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 4 | "10ts" | Signature |
| 4 | 4 | Unknown | |
| 8 | 4 | Cache entry data size The size of the cache entry without the first 12 bytes |
|
| 12 | 2 | Path size | |
| 14 | ... | Path UTF-16 little-endian string without end-of-character |
|
| ... | 4 | Unknown (Insertion flags?) | |
| ... | 4 | Unknown (Shim flags?) | |
| ... | 2 | Unknown | |
| ... | 8 | Last modification time Contains a FILETIME |
|
| ... | 4 | Data size | |
| ... | ... | Data |
Note that the last modification time applies to that of the file e.g. for NTFS this is the last modified time of the file as stored in the $STANDARD_INFORMATION attribute.
Windows 10
Windows 10 store the application compatibility cache in the value: AppCompatCache
The value data consists of:
header
array of cache entries
Windows 10 application compat cache header
The Windows 10 application compat cache header is 48 bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 4 | 48 | Header size (or cache entry array offset) |
| 4 | 4 | Unknown | |
| 8 | 4 | Unknown (empty values) | |
| 12 | 4 | Unknown | |
| 16 | 4 | Unknown | |
| 20 | 16 | Unknown (empty values) | |
| 36 | 4 | Number of cached entries | |
| 40 | 8 | Unknown (empty values) |
The Windows 10 Creator update application compat cache header is 52 bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 4 | 52 | Header size (or cache entry array offset) |
| 4 | 4 | Unknown | |
| 8 | 4 | Unknown (empty values) | |
| 12 | 4 | Unknown | |
| 16 | 4 | Unknown | |
| 20 | 8 | Unknown (empty values) | |
| 28 | 4 | Unknown | |
| 32 | 8 | Unknown (empty values) | |
| 40 | 4 | Number of cached entries | |
| 44 | 8 | Unknown (empty values) |
Windows 10 application compat cache entry
The Windows 10 application compat cache entry is variable bytes of size and consists of:
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 4 | "10ts" | Signature |
| 4 | 4 | Unknown | |
| 8 | 4 | Cache entry data size The size of the cache entry without the first 12 bytes |
|
| 12 | 2 | Path size | |
| 14 | ... | Path UTF-16 little-endian string without end-of-character |
|
| ... | 8 | Last modification time Contains a FILETIME |
|
| ... | 4 | Data size | |
| ... | ... | Data |
Note that the last modification time applies to that of the file e.g. for NTFS this is the last modified time of the file as stored in the $STANDARD_INFORMATION attribute.
Insertion flags
TODO describe
| Value | Identifier | Description |
|---|---|---|
| 0x00000001 | ||
| 0x00000002 | Indicated as executed by CSRSS.EXE flag Client/Server Runtime Subsystem (CSRSS) |
|
| 0x00000004 | ||
| 0x00000008 | ||
| 0x00000010 | Unknown (Seen in Windows 8.0, 8.1) | |
| 0x00000020 | Unknown (Seen in Windows 8.0, 8.1) | |
| 0x00000040 | Unknown (Seen in Windows 8.0, 8.1) | |
| 0x00000080 | Unknown (Seen in Windows 8.0, 8.1) | |
| 0x00010000 | Unknown (Seen in Windows 8.1) | |
| 0x00020000 | Unknown (Seen in Windows 8.1) | |
| 0x00030000 | Unknown (Seen in Windows 8.1) | |
| 0x00040000 | Unknown (Seen in Windows 8.1) | |
| 0x00100000 | Unknown (Seen in Windows 8.1) | |
| 0x00200000 | Unknown (Seen in Windows 8.1) | |
| 0x00400000 | Unknown (Seen in Windows 8.1) | |
| 0x00800000 | Unknown (Seen in Windows 8.1) |
Shim flags
TODO describe
| Value | Identifier | Description |
|---|---|---|
| 0x00000001 | Unknown (Has data?) | |
| 0x00000020 | ||
| 0x00000100 | Unknown (Seen in Windows 7) | |
| 0x00001000 | Unknown (Seen in Windows 7, 8.0) | |
| 0x00010000 | Unknown (Seen in Windows 8.0, 8.1) | |
| 0x00020000 | Unknown (Seen in Windows 8.0) | |
| 0x00100000 | Unknown (Seen in Windows 8.1) | |
| 0x00200000 | Unknown (Seen in Windows 8.1) | |
| 0x01000000 | Unknown (Seen in Windows 8.0, 8.1) | |
| 0x02000000 | Unknown (Seen in Windows 8.0) | |
| 0x10000000 | Unknown (Seen in Windows 8.1) |
Data
TODO describe
Notes
https://technet.microsoft.com/en-us/library/cc787360(v=ws.10).aspx
Are these related?
0x00000001 MS-DOS-based program
0x00000002 OS/2-based program
0x00000004 Windows-based 16-bit program
0x00000008 Windows-based 32-bit program
0x0000000C Windows-based 16-bit and 32-bit program
0x0000000F Any version of a program
0x00000010 Return user name instead of computer name for GetComputerName.
0x00000020 Return Terminal Server build number instead of Windows 2000 build number for GetVersion.
0x00000040 Synchronize user .ini file to system version.*
0x00000080 Do not substitute user \Windows directory.**
0x00000100 Disable registry mapping for program or registry key.
0x00000200 Per-object user/system global mapping
0x00000400 Return system \Windows directory instead of user \Windows directory for GetWindowsDir.
0x00000800 Limit the reported physical memory for GlobalMemoryStatus.
0x00001000 Log object creation to file.
0x20000000 Do not put program to sleep on unsuccessful keyboard polling (Windows-based 16-bit programs only).
Related DLLs:
apphelp.dll; related to “AppHelp” functionality and Application Compatibility database
kernel32.dll; base cache management functionality
Is the Application compatibility cache in Windows also referred to as AppHelpCache?
AppHelp: https://msdn.microsoft.com/en-us/library/bb432181(v=vs.85).aspx
Different shim types? MSIE and RPC shim types?
Related Registry keys:
HKLM\Sofware\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
Flushing the cache Windows Vista and later:
Rundll32.exe apphelp.dll,ShimFlushCache
Flushing the cache Windows XP and Windows Server 2003
Rundll32.exe kernel32.dll,BaseFlushAppcompatCache