TL;DR. Build a fused timeline of ShimCache + AmCache + Prefetch + BAM/DAM + Security/Sysmon. Use ShimCache to define the cast (paths) then enrich each row with timestamps from other sources. Tag every timestamp with its source semantics — never collapse "file mtime" and "process start" into one column.

A program-execution timeline is the single most useful artifact a Windows IR investigator produces. Done well, it tells a chronological story across multiple data sources. Done badly, it overstates evidence and gets challenged. This post walks through how to build one with the ShimCache as the spine.

Why ShimCache is a good spine

ShimCache is rarely the most accurate source for any single field, but it has unique advantages as a timeline anchor:

It carries the file path explicitly (some artifacts only have hashes or partial paths).
It captures executables Windows merely examined — so it includes binaries that ran briefly and were deleted, which Prefetch and BAM may miss.
It survives many anti-forensic attempts that wipe other artifacts (with important caveats).

Use ShimCache to define the cast of characters in your timeline, then enrich each row with corroborating artifacts to assign reliable times.

The data sources to fuse

A complete program-execution timeline pulls from at least these five:

Source	What it adds to the row
ShimCache	Path + file mtime
AmCache	SHA-1, file size, publisher, install timestamp, first-run timestamp
Prefetch	Process-start times (up to last 8), loaded files
BAM/DAM	Per-user "last execution" timestamp on Win10/11
Security/Sysmon	Process creation events with command line, parent, user

For background on each, see the program-execution artifacts reference.

A reproducible workflow

Collect the artifacts. SYSTEM hive (with transaction logs), Amcache.hve, C:\Windows\Prefetch\*.pf, exported Security event log, Sysmon log if available.
Parse each to a normalized table. Use the Eric Zimmerman suite (AppCompatCacheParser, AmcacheParser, PECmd) or the Shimcache Parser for the ShimCache portion in your browser.
Fuse on (path, optional SHA-1). The join key is the file path, with SHA-1 as a secondary signal when AmCache provides it. Be careful: ShimCache may have the path slightly different (case, casing, normalized vs raw).
Tag each timestamp with its source semantics. Don't merge "AmCache install_date" and "Prefetch run_time" into one column — they answer different questions. Keep them adjacent but distinct.
Render to a tool that handles per-row source attribution. Eric Zimmerman's Timeline Explorer (TLE) and Plaso / log2timeline both do this well. CSV in a spreadsheet works for smaller cases.

What "good" looks like

A defensible row in a final timeline looks like:

2026-04-12 09:14:33 UTC  C:\Users\alice\AppData\Local\Temp\setup.exe
  ShimCache mtime: 2026-04-12 09:14:30 UTC
  AmCache       : SHA-1 a3b8c9…, signer "Acme Updates", install 2026-04-12 09:14:33
  Prefetch      : last run 2026-04-12 09:15:01 UTC (1 execution)
  Security 4688 : 2026-04-12 09:15:01 UTC, PID 4521, parent PID 1234 (svchost.exe)

Each timestamp is sourced and the row stands up to challenge. The opposite — "ShimCache shows setup.exe ran at 09:14:33" — confuses file mtime with execution time and is the kind of claim that gets a report rejected. See proof of execution.

When sources disagree

Conflicts are useful data:

ShimCache mtime ≠ Prefetch first-run. That's normal — they measure different things. Note both, don't pick one.
AmCache says executed, ShimCache is empty for that file. Possible reasons: anti-forensic wipe (detection patterns), the entry was evicted from the 1,024-entry cap, the binary ran after the last clean shutdown.
Prefetch absent. Server SKUs and SSD-heavy hosts often have Prefetch disabled — fall back to AmCache + BAM.

Stopping at the right place

A timeline doesn't have to be complete to be valuable. A focused window — "what ran on host X between 14:00 and 18:00 on 2026-04-11?" — built rigorously beats a sprawling one with weak attribution. The malware hunting workflow helps you pick that window.

Building a program-execution timeline from a SYSTEM hive