At this point, you have an understanding of how a shim can be used to load a DLL into the address space of a target process. Before we look at how attackers use the shim, it is essential to understand what artifacts are created when you install the shim database (either by right-clicking on the database and selecting Install or using the sdbinst.exe utility). When you install the database, the installer creates a GUID for the database and copies the .sdb file into %SystemRoot%\AppPatch\Custom\<GUID>.sdb (for 32-bit shims) or %SystemRoot%\AppPatch\Custom\Custom64\<GUID>.sdb (for 64-bit shims). It also creates two registry entries in the following registry keys:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\ ...