To shim an application, an attacker installs the shim database (.sdb), which resides somewhere on the victim's filesystem. Assuming that you have identified the .sdb file used in the malicious activity, you can investigate the .sdb file by using a tool such as sdb-explorer (https://github.com/evil-e/sdb-explorer) or python-sdb (https://github.com/williballenthin/python-sdb).
In the following example, python-sdb tool was used to investigate the shim database (.sdb) file that we created earlier. Running python-sdb on the shim database displays its elements as shown here:
$ python sdb_dump_database.py notepad.sdb
<DATABASE>
<TIME type='integer'>0x1d3928964805b25</TIME>
<COMPILER_VERSION type='stringref'>2.1.0.3</COMPILER_VERSION>
<NAME type='stringref'>notepad</NAME>
<OS_PLATFORM type='integer'>0x1</OS_PLATFORM>
<DATABASE_ID type='guid'>ed41a297-9606-4f22-93f5-b37a9817a735</DATABASE_ID>
<LIBRARY>
</LIBRARY>
<EXE>
<NAME type='stringref'>notepad.exe</NAME>
<APP_NAME type='stringref'>notepad</APP_NAME>
<VENDOR type='stringref'><Unknown></VENDOR>
<EXE_ID type='hex'>a65e89a9-1862-4886-b882-cb9b888b943c</EXE_ID>
<MATCHING_FILE>
<NAME type='stringref'>*</NAME>
</MATCHING_FILE>
<SHIM_REF>
<NAME type='stringref'>InjectDll</NAME>
<COMMAND_LINE type='stringref'>c: estabcd.dll</COMMAND_LINE>
</SHIM_REF>
</EXE>
</DATABASE>
In one of the attacks, the RedirectEXE shim was used by the dridex malware to bypass UAC. It installed the shim database and deleted it immediately after elevating the privilege. For more details, refer to the blog post at http://blog.jpcert.or.jp/2015/02/a-new-uac-bypass-method-that-dridex-uses.html.