This requires that you have a mounted image, or otherwise have an extracted SYSTEM hive or a memory dump.
Using Shimcacheparser.py you can get a list of executables, and depending on the version of Windows you also get the last modified time and if it has been executed or not. The shimcache is updated as soon as an executable touches the disk, is renamed, updated, overwritten or modified.
Grab the script from here: https://raw.githubusercontent.com/mandiant/ShimCacheParser/master/ShimCacheParser.py
The tool runs on Windows, so you’ll need Python 2.7 for Windows installed. Afterwards, run
pip install python-registry to satisfy dependencies.
python shimcacheparser.py -i /path/to/windows/system32/config/SYSTEM --bom -o shimcacheparser-results.csv
This file will list the content of the shimcache at the time of shutdown, as that is when it is written to disk. You can do the same on a memory dump to see what was in the cache when the machine was running:
volatility -f /path/to/memory/dump.001 --profile=<profile> output=csv --output-file=shimcachemem-results.csv -c shimcachemem 2>/dev/null
Check your version of Volatility, in the one you get from apt-get install the shimcachemem plugin is just called shimcache