Where are registry-based file execution records like ShimCache and UserAssist stored, and how can I parse them?

ShimCache is stored in `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache` and records up to 1024 entries on Windows 7+. It can be parsed using tools like AppCompatCacheParser.exe or the Python ShimCacheParser. UserAssist is located in `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist` and records execution counts and timestamps (ROT-13 encrypted). Use tools like UserAssistView.exe or Didier Stevens' C# parser. MUICache and RunMRU are other registry locations that store recent execution data. For clearing individual records, see Penetration Techniques - Clearing Single Records in RecentFileCache.bcf and Amcache.hve.