Forensic analysis of the Windows Application Compatibility Cache currently suffers from a significant limitation: the data in the cache is only serialized to the registry when the system is shutdown or restarted. Why is this so significant?
https://www.fireeye.com/blog/threat-research/2015/10/shim_shady_live_inv.html
vyagers 