1
1
--------------------------------------------------------------------------------
2
2
Submitters
3
3
--------------------------------------------------------------------------------
4
- Author(s): Fred House (Mandiant, a FireEye Company)
4
+ Author(s): Fred House (Mandiant, a FireEye Company) - Twitter: @ 0xF2EDCA5A
5
5
Andrew Davis (Mandiant, a FireEye Company)
6
- Claudiu Teodorescu (Mandiant, a FireEye Company)
6
+ Claudiu Teodorescu (Mandiant, a FireEye Company) - Twitter: @ cteo13
7
7
8
8
Date: 2015-09-29
9
9
@@ -43,6 +43,15 @@ How to use
43
43
| | | shim cache entry. Intended to facilitate |
44
44
| | | additional forensic analysis of the memory |
45
45
| | | image. |
46
+ | | | |
47
+ | -i | --ignore_win_apps | On Windows 10, the shim cache contains entries |
48
+ | | | for Windows apps, which are in a format that is |
49
+ | | | not parsed by this plugin. This option excludes |
50
+ | | | these entries from the output. |
51
+ | | | |
52
+ | | --system_name | An optional system name to add as a column to |
53
+ | | | the output. |
54
+ | | | |
46
55
---------------------------------------------------------------------------
47
56
```
48
57
@@ -63,5 +72,5 @@ request a system reboot.
63
72
64
73
This plugin parses the shim cache directly from the module or process containing
65
74
the cache, thereby providing analysts access to the most up-to-date cache. The
66
- plugin supports Windows XP SP2 through Windows 2012 R2 on both 32 and 64
75
+ plugin supports Windows XP SP2 through Windows 10 on both 32 and 64
67
76
bit architectures.
0 commit comments