Hi,
Have you guys ever analyzed a Windows system on which you saw a binary reference in the AppCompatCache key, but not in other usual execution locations ? Is that possible at all, in which cases ?
Thank you very much -)
…not in other usual execution locations ?
Which version of Windows, and what "other usual execution locations"?
Well my question is generic, I have not seen such a situation yet, I was just wondering about it.
By "usual execution locations" I could list all the content of your blog post "There are Four Lights Program Execution " I guess 😉
I can't say that I've seen it, but also, I haven't really looked for it.
I had one case a while back where I found a Prefetch file for "0.exe" and a reference to the file in the appcompatcache.pl output. However, I have had cases there I had no Prefetch files, but those were Win2008R2 systems.
Without more specific information, it is something of a general/ambiguous question…something I'll start looking out for, though.
By "usual execution locations" I could list all the content of your blog post "There are Four Lights Program Execution " I guess 😉
Ah, okay, I was wondering (sort of hoping) that you had a list of those locations that you used.