TL;DR. Read in priority order: Prefetch (strongest, when enabled) → BAM/DAM (per-user last execution on Win10+, criminally underused) → AmCache (SHA-1 identification) → ShimCache (file existence) → UserAssist (Explorer-initiated launches only, ROT13-encoded). Triangulate; no single artifact closes a case.
There is no single Windows artifact that perfectly answers "did this program run, when, and by whom?". Investigators triangulate across several. Here is the practical short list, with what each one tells you and what it does not.
The short list
| Artifact | Location | Records | Reliability for execution |
|---|---|---|---|
| Prefetch | C:\Windows\Prefetch\*.pf | Path, run count, last 8 run times, loaded files | Very high — only written on process start |
| AmCache | C:\Windows\AppCompat\Programs\Amcache.hve | Path, SHA-1, size, publisher, install + first-run | High — explicit execution timestamps |
| ShimCache | SYSTEM hive …\AppCompatCache | Path, file mtime | Medium — proves existence, often (not always) implies execution |
| UserAssist | NTUSER.DAT …\UserAssist | Per-user GUI program launches via Explorer | High — but user-launched only, ROT13-encoded names |
| BAM / DAM | SYSTEM hive …\bam\State | Per-user last execution time of every binary | Very high — Win10+, easy to parse, often missed |
Reading them in priority order
1. Prefetch first. A .pf file is the closest thing Windows has to a "this ran" receipt. It stores up to the last eight run times, and modern Windows keeps Prefetch enabled by default on workstations. Eric Zimmerman's PECmd is the standard parser.
2. BAM / DAM second. Background and Desktop Activity Moderator are services that throttle background apps. They keep a per-user, per-binary "last execution" timestamp in the SYSTEM hive under …\bam\State and …\dam\State. They are present on Windows 10/11, low-noise, and easy to read with any registry tool.
3. AmCache third. AmCache backs Prefetch where Prefetch is disabled (servers!) and provides SHA-1 hashes for unambiguous file identification. See ShimCache vs AmCache for the breakdown.
4. ShimCache fourth. Treat it as a "file existed" anchor, not an execution claim. The proof-of-execution post covers exactly why.
5. UserAssist last. Strong evidence of interactive program launch (Explorer-initiated), but blind to anything launched from a shell, scheduled task, or service. Useful for "did the user click this?", not "was this binary ever run?".
Common pitfalls
- Prefetch can be disabled on SSDs or by policy. Don't assume its absence means nothing ran.
- AmCache rotates and ages out. Old entries get pruned. Pull the artifact early in your triage.
- ShimCache timestamps are file mtime, not execution time. Many investigators have learned this the hard way.
- UserAssist names are ROT13-encoded. Trivial to decode but it trips up casual readers.
- BAM is criminally underused. It's one of the cleanest "did this binary run for this user?" signals on modern Windows.
Tooling
For full-fidelity offline parsing, the Eric Zimmerman tool suite is the de-facto standard — AppCompatCacheParser, AmcacheParser, PECmd, RBCmd, and friends. The Velociraptor artifact library handles live triage. And for ShimCache specifically, you can use the Shimcache Parser directly in your browser without installing anything.
Further reading
- AppCompatCacheParser (Zimmerman) — reference ShimCache parser.
- Velociraptor ShimCache artifact — live-system collection logic.
- ShimCache & AmCache forensic analysis (Mehrnoush) — extended case-driven write-up.