"Malware can hide, but it must run" are legendary words for any forensic investigator to live by. As we peek days, weeks, months, sometimes even years back in time, what artifacts are available to help us determine if malware did run? If only there was a native artifact that contained execution information...but wait, there is! In this talk, we will examine Windows execution artifacts including the ShimCache, RecentFileCache, and the newer Amcache hive found in Windows 8 and 10. We will examine the structures of these artifacts, as well as the different points of information recorded by each. Lastly, we will also discuss ways for the forensic investigator to include these artifacts in their investigation, including various parsing tools and analysis techniques.