AmcacheParser CLI cheatsheet: every flag, with worked examples
This is the practical, copy-pasteable reference for
AmcacheParser.exe. For background on what the tool does, see the
AmcacheParser complete guide.
For details on the CSV it produces, see
AmcacheParser output columns explained.
Flag reference#
Required (one of)#
| Flag | Description |
|---|---|
-f <path> |
Path to a single Amcache.hve file. |
-d <dir> |
Directory to recurse through, parsing every Amcache.hve found. Useful when you have collected hives from many hosts into one tree. |
Output#
| Flag | Description |
|---|---|
--csv <dir> |
Required. Output directory for the per-category CSVs. |
--csvf <name> |
Optional base filename. Multi-host triage: set this to <HOSTNAME> so the CSVs sort cleanly. |
Filters & inclusion#
| Flag | Description |
|---|---|
-i |
Include entries with IsOSComponent = true (Windows-shipped binaries). Off by default — Windows components add tens of thousands of low-value rows. |
--mp |
Multi-pass. Re-walk to recover orphaned entries that would otherwise be dropped. Adds a few seconds; almost always worth it. |
--nl |
Skip transaction logs even if present (rarely correct — see warning below). |
Logging & debug#
| Flag | Description |
|---|---|
--debug |
Verbose debug logging to stderr. Use when a parse seems off. |
--trace |
Maximum verbosity. Pipe to a file; the output is large. |
Common combinations#
The "good defaults" invocation most analysts standardise on:
AmcacheParser.exe -f <hive> --csv <outdir> --csvf <HOSTNAME>_amcache.csv --mpAdd -i only when you specifically need the OS-component rows (e.g.
investigating a hijacked system DLL).
Transaction logs warning.
Amcache.hvewrites through.LOG1/.LOG2like any registry hive. Always collect the logs alongside the hive, and never pass--nlunless you have a specific reason to ignore them — you can silently miss the most recent activity.
Worked examples#
Example 1 — single host, single hive#
AmcacheParser.exe `
-f 'C:\Triage\HOST01\Windows\AppCompat\Programs\Amcache.hve' `
--csv 'C:\Triage\HOST01\out' `
--csvf 'HOST01_amcache.csv' `
--mpProduces:
C:\Triage\HOST01\out\
├── HOST01_amcache_AssociatedFileEntries.csv
├── HOST01_amcache_UnassociatedFileEntries.csv
├── HOST01_amcache_ProgramEntries.csv
├── HOST01_amcache_ShortcutEntries.csv
├── HOST01_amcache_DriverBinaries.csv
├── HOST01_amcache_DevicePnps.csv
└── HOST01_amcache_DeviceContainers.csv
Example 2 — batch many hives with PowerShell#
When you have collected hives from 50 hosts into a single tree:
$root = 'C:\Cases\2026-INC-042\collected'
$outRoot = 'C:\Cases\2026-INC-042\parsed'
Get-ChildItem -Path $root -Filter Amcache.hve -Recurse | ForEach-Object {
# Assume the parent path encodes the hostname, e.g. ...\HOST01\Windows\AppCompat\Programs\Amcache.hve
$hostName = ($_.FullName -split '\\')[-5]
$hostOut = Join-Path $outRoot $hostName
New-Item -ItemType Directory -Path $hostOut -Force | Out-Null
& 'C:\Tools\ZTools\net6\AmcacheParser\AmcacheParser.exe' `
-f $_.FullName `
--csv $hostOut `
--csvf "${hostName}_amcache.csv" `
--mp |
Out-File (Join-Path $hostOut "${hostName}_amcache.log") -Encoding utf8
}The per-host log capture is the part most pipelines forget; you want to know which parses warned about missing logs or schema mismatches without re-running everything.
Example 3 — recurse mode#
If your collection already lives in a tree AmcacheParser can walk by itself:
AmcacheParser.exe `
-d 'C:\Cases\2026-INC-042\collected' `
--csv 'C:\Cases\2026-INC-042\parsed' `
--mp--csvf is ignored in -d mode — output filenames are derived from
each hive's source path.
Example 4 — non-Windows analyst host#
On Linux or macOS with the .NET runtime installed:
dotnet /opt/ztools/net6/AmcacheParser/AmcacheParser.dll \
-f /cases/inc-042/HOST01/Amcache.hve \
--csv /cases/inc-042/HOST01/out \
--csvf HOST01_amcache.csv \
--mpSame flags, same output. If your team is fully non-Windows and you just need triage, the browser-based parser on this site removes the .NET dependency entirely — drop a hive and read the categories without installing anything.
KAPE integration#
KAPE handles both collection and parsing. The canonical pattern:
# Collect the hive + transaction logs
.\kape.exe `
--tsource C: `
--target Amcache `
--tdest .\out\HOST01\collected
# Parse the collected hive with AmcacheParser
.\kape.exe `
--msource .\out\HOST01\collected `
--module AmcacheParser `
--mdest .\out\HOST01\parsedKAPE's AmcacheParser module wraps the CLI flags above and writes the
CSVs into mdest with sensible filenames. The two-step
--tsource → --msource pattern keeps collection and parsing
auditable — the collection step's output is unaltered evidence; the
parse step is reproducible from it.
For one-shot triage you can collapse to a single call by combining
--tsource and --mdest in one invocation, but most engagement
playbooks prefer the two-step variant.
Velociraptor integration#
The artefact Windows.Forensics.Amcache collects the hive, downloads
AmcacheParser if not already cached, runs it, and uploads the CSV
to the server. Typical hunt config:
artifacts:
- Windows.Forensics.Amcache
parameters:
- name: AmcacheGlob
value: 'C:\Windows\AppCompat\Programs\Amcache.hve*'The glob with * is intentional — it pulls the hive and both
transaction logs in one go. The artifact handles the rest server-side.
For fleet-wide hunting, schedule the artefact on a regular cadence
(weekly is typical) and route the resulting UnassociatedFileEntries
rows into your SIEM. Detections that pivot on
KeyLastWriteTimestamp > now - 7d AND Publisher = '' AND IsPeFile = true
are noisy but cheap and have very high precision for "something new
appeared on a host this week."
Operational tips#
A handful of patterns that come up on real engagements:
- Always collect transaction logs. AmcacheParser will warn but continue if they are missing; you lose the most recent writes silently.
- Use
--csvf <HOSTNAME>. When you stack 50 hosts' CSVs into one folder for cross-host pivots, hostnames in filenames save you. - Run
--mpby default. The cost is seconds; the recovered rows are sometimes the most interesting ones. - Never run AmcacheParser against the live hive on a suspect host.
Always copy the hive +
.LOG1+.LOG2first. Even though the parser opens read-only, evidentially you want a hashed copy. - Hash the input hive before parsing and store the hash next to the CSV output. That tiny extra step keeps chain-of-custody clean if the case ever goes to court.
See also#
- AmcacheParser complete guide — the canonical reference for the tool.
- AmcacheParser output columns explained — every CSV column, decoded.
- AmcacheParser download guide — where to get the tool, with verification patterns.
- Understanding Amcache for Windows forensics — what the hive records and why it matters.
Want to read a hive right now without standing any of this up? Drop one on the parser home page — entirely in your browser, nothing uploaded.
Related posts
- AmcacheParser output columns explained: every CSV field decoded
A field-by-field reference for AmcacheParser's CSV output — FileId, PathHash, ProgramId, LinkDate, BinFileVersion, IsPeFile, and every other column, with the pivots that matter in DFIR.
- AmcacheParser download guide: official sources, mirrors, and verification
Every way to download Eric Zimmerman's AmcacheParser — Get-ZimmermanTools, direct download, KAPE, Velociraptor — with checksum verification and air-gapped install patterns.
- AmcacheParser: the complete guide to Eric Zimmerman's tool
A definitive guide to AmcacheParser — what it does, how to install and run Eric Zimmerman's CLI, how to read its CSV output, and when to reach for the browser-based alternative.
- Amcache parsers compared: AmcacheParser CLI, browser tool, Volatility, RegRipper
Side-by-side comparison of the four ways to parse a Windows Amcache.hve hive in 2026 — Eric Zimmerman's AmcacheParser CLI, the browser tool, Volatility 3, and RegRipper.