TL;DR. No. A ShimCache entry proves Windows examined the file — usually but not always for execution. Windows 10/11 removed the in-cache execution flag entirely. Confirm execution with Prefetch, AmCache, or process-creation events (Security 4688 / Sysmon 1).
"The ShimCache shows it ran" is one of the most common shortcuts in incident response — and it is wrong often enough to bite investigators in court. Here is a careful answer to the question "does a ShimCache entry prove a program was executed?", and what to do instead.
What the ShimCache actually records
The ShimCache (technically the Application Compatibility Cache, or AppCompatCache) stores entries for executables that Windows has examined, typically to decide whether to apply a compatibility shim. Examination is not the same thing as execution. Windows can examine a file when:
- the user double-clicks it (often, but not always, leading to execution),
- Explorer enumerates a directory and inspects a binary,
- a tool scans the file system (AV, indexers, security agents),
- the file is opened via right-click "Properties" or similar shell flows.
Most of those reasons coincide with execution, but the link is statistical, not logical. A binary an attacker dropped and deleted without running can still appear in the ShimCache because something on the system touched it.
The Windows 10 / 11 change that matters
On older Windows versions, ShimCache entries carried an Executed flag set when the binary ran. That flag was widely used as a coarse "did it run?" signal.
In Windows 10 and 11 that flag was removed. The modern ShimCache has no in-cache marker that tells you execution happened. So even if you trusted the legacy flag, you have to stop trusting it the moment you cross into modern Windows.
If you'd like to see exactly which fields a modern ShimCache entry exposes, the binary format reference walks through every offset.
How to confirm execution
Treat a ShimCache hit as a hypothesis, then corroborate with artifacts that actually record execution:
- Prefetch (
C:\Windows\Prefetch\*.pf) — written when a process starts and persists across reboots. A matching Prefetch file is strong execution evidence. - AmCache (
Amcache.hve) — separate registry hive that logs executed and installed programs, with SHA-1 hashes for unambiguous identification. (Why both? See ShimCache vs AmCache.) - Security and Sysmon event logs — process creation events (4688, Sysmon 1) are the highest-fidelity execution evidence available.
- UserAssist, BAM/DAM, RecentApps — additional registry-backed execution signals.
The program-execution artifacts reference summarizes which one captures what and how reliable each is in practice.
Bottom line
A ShimCache entry tells you Windows looked at a particular file at some point. It is a high-signal pivot for proving existence, not execution. To assert that a program ran, pair the ShimCache with Prefetch, AmCache, or process-creation logs — and write the conclusion in language that matches the evidence you actually have.
To parse a SYSTEM hive's ShimCache right now, drop it into the Shimcache Parser. Everything runs in your browser; the file never leaves the page.
Further reading
- Velociraptor's
Windows.Registry.AppCompatCache— includes notes on the execution flag history. - Windows 10/11 AppCompatCache deep dive (Ø Security) — covers the removed flag in detail.
- ShimCache & AmCache forensic analysis (Mehrnoush) — practical case-driven write-up.