Prefetch vs Amcache vs ShimCache
Windows records evidence of program execution in at least three places. They overlap. They disagree. Each one captures something the others miss. The mistake is treating any one of them as authoritative.
- Prefetch:
C:\Windows\Prefetch\*.pf. Per-execution timing cache. - AmCache:
C:\Windows\AppCompat\Programs\Amcache.hve. Registry hive of program inventory. - Shimcache (AppCompatCache):
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache. Registry-backed compatibility cache.
Prefetch — the timing story
Prefetch tells you when a binary ran and how often. Each .pf carries up to eight FILETIME last-run slots (on v26+), a monotonic run counter, the volume information for the launch volume, and the file-metric list of paths the binary touched in its first ten seconds. The filename embeds a hash of the launch path, so two copies of the same binary in different directories produce two distinct .pf entries.
What Prefetch does not give you: a complete history. The directory is capped (typically around 1024 entries; older entries get expired during maintenance, more aggressively on Win10 1709+ and on SSD-backed Win11 22H2+). It also does not run on Windows Server by default.
Reach for Prefetch first when the question is "did this run, when, and from where." The parser on this site or PECmd over the folder surfaces it in one pass.
AmCache — the inventory story
AmCache is a registry hive (Amcache.hve) populated by Application Experience and related compatibility infrastructure. It records metadata for every binary the system has seen — meaning catalogued by AppCompat, not just executed. SHA-1 hash, file size, publisher, version, signing status, install date, and a handful of other fields.
Where Prefetch says "this ran eight times last Tuesday," AmCache says "this binary exists at this path with this SHA-1 and this publisher." Combine the two and you have "this exact binary, identified by hash, was executed N times." That combination is what lets you defend an execution claim when the binary on disk has been swapped.
For offline AmCache analysis, see the AmCache parser. On pre-Win8 hosts the analogous artifact is RecentFileCache, which is much thinner but covers the same gap.
Shimcache — the compatibility story
Shimcache (AppCompatCache) lives in the SYSTEM hive and exists to feed the application compatibility shimming engine, not DFIR. It records file path, last-modified timestamp from NTFS, and an execution flag (the meaning of which has shifted across Windows versions, sometimes meaningfully). Hard cap around 1024 entries on modern Windows.
It is older and shallower than the other two. The execution flag is unreliable on modern versions — its presence is not proof of execution, and its absence is not proof of non-execution. Treat the timestamp as the NTFS modification time on the binary at the moment Shimcache observed it, not as an execution time.
Shimcache wins in one specific scenario: when Prefetch has been wiped and AmCache is unavailable or also touched, Shimcache often still holds a record because it lives in the SYSTEM hive, which attackers leave alone more often. It is also useful as a third corroboration source — if Prefetch, AmCache, and Shimcache all place the binary at the same path with timestamps that align, the evidence is hard to argue against.
Which one first
For most "did this run" questions:
- Prefetch. Recency and run frequency.
- AmCache. Hash, signing, and broader inventory.
- Shimcache. Path corroboration and fallback when the first two have been touched.
For the broader picture, none of these three is the end of the line. The USN journal tells you when the binary first hit the disk and when it was touched. SRUM tells you process resource usage with per-application network bytes, on workstations where SRUM is enabled. LNK files and jump lists place the user in the picture. The Security/Sysmon EVTX gives you command lines, parent processes, and the user context that none of the three execution artifacts above provide on their own.
Each artifact in this fleet handles one of these. Together they cover the gaps that any single one leaves.
Further reading
- Yogesh Khatri, the original AmCache write-ups — still the cleanest description of what the hive actually contains.
- Mandiant, "Caching Out: The Value of Shimcache" — required reading on what the execution flag does and does not mean.
- Eric Zimmerman, the AppCompatCacheParser / AmcacheParser / PECmd trio for offline analysis.