TL;DR. ShimCache proves a file existed on disk; AmCache proves it was executed and identifies it by SHA-1. ShimCache only flushes at clean shutdown — AmCache writes continuously. Pull both; they're co-witnesses, not substitutes.
ShimCache and AmCache are the two registry-backed artifacts most commonly cited in Windows program-execution investigations. They sound interchangeable. They are not. This is a quick reference for deciding which one to reach for, based on the question you're trying to answer.
At a glance
| ShimCache | AmCache | |
|---|---|---|
| Registry location | HKLM\SYSTEM\…\AppCompatCache | C:\Windows\AppCompat\Programs\Amcache.hve |
| Capacity | Up to 1,024 entries | Thousands of entries, no fixed cap |
| Per-entry data | Path, mtime, (legacy) execute flag | Path, SHA-1, size, publisher, install date, much more |
| Written when | Only at shutdown | Continuously (and at scheduled intervals) |
| Survives reboot crash | No — recent entries lost | Yes — already on disk |
| Best for | Proving a file existed on disk | Proving a file ran + identifying it by hash |
When ShimCache wins
The ShimCache will hold an entry for an executable Windows merely examined for compatibility reasons. That makes it sensitive: a binary that an attacker dropped and immediately deleted may still leave a ShimCache trace. If your question is "did this file ever exist on this host?" — ShimCache is your friend.
It's also the only one of the two that captures the $STANDARD_INFORMATION mtime of the file. That timestamp is not the execution time (a common misreading we cover in another post), but it does anchor the file's identity in time.
When AmCache wins
AmCache is what you want when the question is "was this file actually executed, and which file exactly?". Each AmCache entry carries a SHA-1 hash, the file size, the publisher, the install date — enough to identify a binary unambiguously, even if the on-disk file has since been replaced or wiped.
AmCache also persists. Because Windows writes it continuously rather than only at shutdown, recent activity on a system that crashed or was hard-rebooted is more likely to be in AmCache than in ShimCache.
How to use them together
In practice, treat them as co-witnesses:
- An entry in both ShimCache and AmCache, with matching paths and a recent AmCache timestamp, is strong evidence of execution.
- An entry in ShimCache only says the file was at least on disk at some point. Look for corroborating evidence (Prefetch, AmCache, event logs) before claiming execution.
- An entry in AmCache only with no Prefetch and no ShimCache typically means the host hasn't been cleanly shut down since the activity — the ShimCache never got flushed to disk.
For the technical details of the ShimCache binary layout, see Parsing the ShimCache: the Windows 10 and 11 binary format. To parse a hive right now without installing anything, use the Shimcache Parser — everything runs in your browser.
Further reading
- Eric Zimmerman's AppCompatCacheParser — reference C# implementation.
- Velociraptor's
Windows.Registry.AppCompatCacheartifact — live-system collection logic. - ShimCache & AmCache forensic analysis (Mehrnoush) — extended walk-through with case examples.