{"id":10336,"date":"2026-02-26T01:16:00","date_gmt":"2026-02-26T01:16:00","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=10336"},"modified":"2026-02-26T01:16:00","modified_gmt":"2026-02-26T01:16:00","slug":"shimbad-the-sailor-part-3","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2026\/02\/26\/shimbad-the-sailor-part-3\/","title":{"rendered":"ShimBad the Sailor, Part 3"},"content":{"rendered":"\n<p>Windows 11 brings us a lot of new Shim-related goodies and it makes sense to cover at least some of them.<\/p>\n\n\n\n<p>In the <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/03\/20\/shimbad-the-sailor-part-2\/\" data-type=\"post\" data-id=\"7036\">second part of this series<\/a> I listed a number of process names that are treated in a special way by the existing shim database entries.<\/p>\n\n\n\n<p>It turns out that the list of these process names has been extended by at least two:<\/p>\n\n\n\n<ul>\n<li>SdbMergeTestEntry_Added_Exe_Item.exe<\/li>\n\n\n\n<li>SdbMergeTestEntry_Added_Exe_Item_InboxApp.exe<\/li>\n<\/ul>\n\n\n\n<p>In other words, when you run a program that is named like the two aforementioned entries, you will get these messages:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2026\/02\/sdb1.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2026\/02\/sdb1.png\" alt=\"\" class=\"wp-image-10337\" width=\"512\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2026\/02\/sdb1.png 586w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2026\/02\/sdb1-300x147.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2026\/02\/sdb1-500x245.png 500w\" sizes=\"(max-width: 586px) 100vw, 586px\" \/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2026\/02\/sdb2.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2026\/02\/sdb2.png\" alt=\"\" class=\"wp-image-10338\" width=\"512\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2026\/02\/sdb2.png 586w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2026\/02\/sdb2-300x147.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2026\/02\/sdb2-500x245.png 500w\" sizes=\"(max-width: 586px) 100vw, 586px\" \/><\/a><\/figure>\n\n\n\n<p>Additionally, Windows 11 binaries handling shims include references to a list of folders that may be of some interest:<\/p>\n\n\n\n<ul>\n<li>%windir%\\apppatch\\AcPluginDlls\\Plugin<\/li>\n\n\n\n<li>%windir%\\apppatch\\AcPluginDlls\\PluginWow<\/li>\n\n\n\n<li>%windir%\\apppatch\\AcPluginDlls\\PluginWowAMD64<\/li>\n\n\n\n<li>%windir%\\apppatch\\AcPluginDlls\\PluginWowARM<\/li>\n\n\n\n<li>%windir%\\apppatch\\AcPluginDlls\\PluginWowARM64<\/li>\n\n\n\n<li>%windir%\\apppatch\\AcPluginDlls\\PluginWowX86<\/li>\n<\/ul>\n\n\n\n<p>The Windows 11 installations I saw so far include these test Ac plugins:<\/p>\n\n\n\n<ul>\n<li>c:\\WINDOWS\\apppatch\\AcPluginDlls\\Plugin\\AcPlugin_Test.dll<\/li>\n\n\n\n<li>c:\\WINDOWS\\apppatch\\AcPluginDlls\\Plugin\\AcPlugin_Test2.dll<\/li>\n\n\n\n<li>c:\\WINDOWS\\apppatch\\AcPluginDlls\\PluginWowX86\\AcPlugin_Test.dll<\/li>\n\n\n\n<li>c:\\WINDOWS\\apppatch\\AcPluginDlls\\PluginWowX86\\AcPlugin_Test2.dll<\/li>\n<\/ul>\n\n\n\n<p>The code referencing these directories resides in a few system libraries:<\/p>\n\n\n\n<ul>\n<li>apphelp.dll<\/li>\n\n\n\n<li>pcasvc.dll<\/li>\n\n\n\n<li>appraiser.dll<\/li>\n<\/ul>\n\n\n\n<p>but I have not explored yet how they work. As of now, I assume this is a lesser-known Shim Database enhancement mechanism that could be potentially leveraged for persistence and stealth code injection&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Windows 11 brings us a lot of new Shim-related goodies and it makes sense to cover at least some of them. In the second part of this series I listed a number of process names that are treated in a &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2026\/02\/26\/shimbad-the-sailor-part-3\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10336"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=10336"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10336\/revisions"}],"predecessor-version":[{"id":10339,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10336\/revisions\/10339"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=10336"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=10336"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=10336"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}