At this point, you have an understanding of how a shim can be used to load a DLL into the address space of a target process. Before we look at how attackers use the shim, it is essential to understand what artifacts are created when you install the shim database (either by right-clicking on the database and selecting Install or using the sdbinst.exe utility). When you install the database, the installer creates a GUID for the database and copies the .sdb file into %SystemRoot%AppPatchCustom<GUID>.sdb (for 32-bit shims) or %SystemRoot%AppPatchCustomCustom64<GUID>.sdb (for 64-bit shims). It also creates two registry entries in the following registry keys:

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionAppCompatFlagsCustom
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionAppCompatFlagsInstalledSDB

The following screenshot shows the registry entry created in HKLMSOFTWAREMicrosoftWindows NTCurrentVersionAppCompatFlagsCustom. This registry entry contains the name of the program for which the shim is applied, and the associated shim database file (<GUID>.sdb):

The second registry, HKLMSOFTWAREMicrosoftWindows NTCurrentVersionAppCompatFlagsInstalledSDB, contains the database information and the installation path of the shim database file:

These artifacts are created so that when the shimmed application is executed, the loader determines whether the application needs to be shimmed by consulting these registry entries, and invokes the shim engine that will use the configuration from the .sdb file located in the AppPatch directory to shim the application. One more artifact that is created as a result of installing the shim database is that an entry is added to the list of installed programs in the control panel.