What are Shims in Windows and what are they really used for?

If you've ever tried to run an older application on a recent version of Windows, you've probably encountered compatibility issues. Many users don't know this, but behind those magic solutions that Windows offers to get older programs working, there are so-called ShimsAlthough it may sound like technical jargon, these small elements play a huge role within Microsoft's compatibility ecosystem.

In this article we will explain What are Shims in Windows?, how they're used, the different scenarios in which they come into play—both legitimately and maliciously—and their importance in development, testing, and IT security environments. If you're interested in the in-depth workings of Windows or work with legacy applications, this article is for you.

What is a Shim in computer science?

In programming, a Shim It is a layer of code that intercepts calls to an API to modify its behavior without altering the original code of the application or the API. This technique is commonly used to ensure compatibility between software versions or to alter functionality in a temporary and controlled manner.

Shims can intercept, modify or redirect a callFor example, if an application expects a function that no longer exists in a new version of the operating system, a Shim can capture that call and redirect it to another compatible function. Arguments can also be modified, or even a response can be simulated.

This concept has been widely used in various areas, from browsers implementing new features for older versions through polyfills, to networking environments and operating systems like Windows that need to keep applications from previous years running without errors.

Using Shims on Windows: Backward Compatibility

Microsoft officially implemented Shims within the Application Compatibility Toolkit (ACT), a set of tools designed to fix compatibility issues in modern versions of Windows. This functionality is crucial when it comes to applications that were designed for older versions of the system and that have not been updated with There.

One of the most powerful options within the ACT is the possibility of applying "version lies". This type of Shim tricks an application into thinking it is running on Windows XP, for example, when it is actually running on Windows 10 or 11. This is achieved by intercepting system calls related to the OS version and manipulating the values ​​that are returned.

Practical example of using Shims with ACT

Some programs perform very strict checks on the operating system version number before installing. For example, an application designed specifically for Windows XP might check if the system returns version 5.1 and, if it doesn't, block the installation. In these cases, a Shim can intercept the call to System.Environment.OSVersion and return the values ​​5.1, making the program think it is running on XP.

To apply this type of correction the component is used Compatibility Administrator of the ACT, where a Shim is selected as WinXPSP3VersionLie and is indicated to apply to all modules of the application.

How to install Shims

Once Shim is configured from the ACT, it is saved as a .sdb (Shim Database) file. This file can be installed on the system for Windows to use every time the corresponding application is run. The operating system detects the presence of the Shim and modifies its behavior at runtime..

This allows applications that would otherwise be incompatible can run without errors, without requiring modifications to the original executable or external emulators.

Shims in development environments: unit testing in Visual Studio

Another area where Shims have a relevant role is in the unit tests. In development environments like Visual Studio, the compatibility fixes (shim) They are used to isolate parts of the code during testing. This is part of the framework Microsoft Fakes, which includes both stub , the shims.

Shims allow you to intercept calls to methods in assemblies that are not part of your own solution, such as system or third-party libraries. Their purpose is divert execution to custom test code, thus ensuring that tests are predictable and not dependent on external factors such as the file system, network, or system time.

Practical example with System.IO

Suppose you have a method that calls System.IO.File.ReadAllLinesIn a unit test, you don't want it to actually read from disk, but rather return a fixed set of data. With a Shim, you can intercept that call and have it return, for example, {"Hello", "World", "Shims"}.

This is achieved using the file Fakes corresponding, which is automatically generated from the test project. Within the Shim, the original call is replaced with a custom function.

Types of supported methods

Fake Shims can be applied to:

• Static methods: They are intercepted and a delegate is associated with them that defines the new behavior.
• Instance methods (all instances): Use the AllInstances class to intercept the method on any object of that class.
• Instance methods for a single instance: A Shim object is created bound to a specific instance.
• builders: Modified instances of the object in question can be intercepted and returned.

Limitations of Shims in testing

Not everything can be intercepted with Shims. For example, cannot be used in certain .NET base classes such as mscorlib in some environments. Also, It is not recommended to run tests in parallel when using Shims, as they affect the entire AppDomain and have no thread affinity, which can lead to inconsistent results.

Shims as an offensive cybersecurity tool

Shims have also attracted the attention of malicious actors. As a legitimate way to intercept and modify system processes, they can be used to inject malicious code in safe processes or even for escalate privileges.

A technique known as Shimming Attack It consists of creating a custom compatibility database that patches an executable or DLL in the Boot, allowing unauthorized code to run without a system reboot. This can be achieved using the same .sdb file system used by Microsoft, but for malicious purposes.

The tool Shims Database Parser allows security researchers to analyze these .sdb files and detect if there are attempts to Hot patching, DLL injection, or changes in execution privileges.

How these attacks are detected

Some key indicators to look for are:

• Installing Shim Database outside the expected directories
• Unusual modification dates
• Suspicious matching/rewriting patterns within the bytes of the target applications

These manipulations are stored in the Windows Registry and can persist even after a system restart. Therefore, it is essential to monitor any suspicious changes to the .sdb files present in the registry. \Windows\AppPatch\sysmain.sdb or their equivalents.

What is the difference between a Shim, a Wrapper and a Stub?

In software development there are several similar concepts that can easily be confused:

• Shim: Intercepts and modifies API calls, rewriting or redirecting their behavior without altering the original code.
• Wrapper: encapsulates another function or object, adding functionality without modifying the original object.
• Stub: simplified replacement of a real function, typically used during testing to simulate behavior.

While Wrappers and Stubs are created explicitly in the code, Shims work at a lower level, modifying runtime behavior, even on compiled libraries or the operating system itself.

These elements are essential to understanding how Windows maintains compatibility, develops testing, and also how it can be exploited by malicious actors. A proper understanding of their differences and functions is key to taking advantage of their benefits and protecting against their risks.