This technical update explores new application shim functionalities discovered in Windows 11, specifically identifying new hardcoded process names like SdbMergeTestEntry_Added_Exe_Item.exe that trigger unique system behaviors. The discovery expands upon previous research into how the Windows Shim database treats specific executable names differently, providing insight into internal testing hooks within the OS.
Additionally, the article highlights the presence of new plugin directories under %windir%\apppatch\AcPluginDlls and associated test DLLs. These components are referenced by system libraries such as apphelp.dll and pcasvc.dll, suggesting a lesser-known shim database enhancement mechanism that could potentially be exploited by threat actors for persistence or stealthy code injection.
Top comments (0)