Back to all posts

Prefetch vs Amcache vs ShimCache

Windows records evidence of program execution in at least three separate places, each with its own format, retention, and quirks:

  • Prefetch (C:\Windows\Prefetch\*.pf) — per-execution timing cache
  • Amcache (C:\Windows\AppCompat\Programs\Amcache.hve) — registry hive of program inventory
  • ShimCache / AppCompatCache (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache) — registry-backed compatibility cache

They overlap. They disagree. They each capture something the others miss.

Prefetch — the timing story

Prefetch tells you when a program ran and how often. Each .pf file holds up to eight recent run timestamps and a run counter. It also holds the list of files the executable loaded on its first run, which is useful for malware analysis.

What prefetch does not give you: a complete list of every program that ever ran. Files are deleted when the cache fills (typically capped at 1024 files), so a busy workstation will rotate out older entries. It is also routinely disabled on Windows Server.

Reach for prefetch when you need run frequency, recency, or the load fingerprint of an executable. Use the parser on this site to surface all of that in one pass.

Amcache — the inventory story

Amcache is a registry hive (Amcache.hve) that the Windows Application Compatibility infrastructure populates. It records metadata for every binary the system has seen, not just the ones it has run. This makes Amcache the broader inventory: SHA-1 hashes, file sizes, publisher, version, installation timestamps, and whether the binary is signed.

Where prefetch tells you a program ran eight times last Tuesday, Amcache tells you the program exists, what its SHA-1 is, and roughly when it appeared on the system. The two combine well: prefetch's run count plus Amcache's hash is enough to identify "this exact binary was executed N times."

For Amcache parsing, see the Amcache Parser.

ShimCache — the compatibility story

ShimCache (also called AppCompatCache) is older and shallower than the other two. It records file path, last-modified timestamp, and a flag indicating execution, with a hard cap of around 1024 entries on modern Windows. It exists primarily to feed the application-compatibility shimming engine, not to serve forensics.

ShimCache wins in one specific scenario: when prefetch has been disabled or wiped and Amcache is unavailable, ShimCache may still hold a record. It is also useful as a corroboration source — if all three artifacts agree on a path and timestamp, the evidence is strong.

Which one first?

For most "did this program run" investigations, the order is:

  1. Prefetch for runtime evidence and recency
  2. Amcache for hash, version, and broader inventory
  3. ShimCache as a corroborating fallback when the first two are incomplete or suspect

Each parser in this fleet handles one of these artifacts. Together they cover the gap that any single one of them leaves.