AmcacheParser download guide: official sources, mirrors, and verification

This is the practical guide to getting AmcacheParser onto an analyst workstation. Full internet access, restricted proxy, or fully air-gapped lab. For background on the tool, see the AmcacheParser complete guide.

Download from a source you can verify. Eric Zimmerman's tools are widely mirrored and just as widely typo-squatted. The official sources are ericzimmerman.github.io and github.com/EricZimmerman. Anything else, verify before you run.

Official sources#

The installer keeps the whole suite, AmcacheParser included, up to date with one command. Downloads only the framework-dependent .NET builds, keeping the footprint small.

# Run from elevated PowerShell
New-Item -ItemType Directory -Path 'C:\Tools\ZTools' -Force | Out-Null
Set-Location 'C:\Tools\ZTools'
 
Invoke-WebRequest `
  -Uri 'https://raw.githubusercontent.com/EricZimmerman/Get-ZimmermanTools/master/Get-ZimmermanTools.ps1' `
  -OutFile 'Get-ZimmermanTools.ps1'
 
# .NET 6 build (works on Server 2019+ without extra setup)
.\Get-ZimmermanTools.ps1 -Dest 'C:\Tools\ZTools' -NetVersion 6

After it finishes:

C:\Tools\ZTools\
└── net6\
    └── AmcacheParser\
        ├── AmcacheParser.exe
        ├── AmcacheParser.dll
        └── ... (.NET runtime deps)

Re-run weekly (or via a scheduled task) to stay current. The script writes a !!!RemoteFileDetails.csv next to itself with the SHA-1 of every downloaded archive. Useful chain-of-custody evidence if you're publishing your own internal mirror.

2. Direct download from ericzimmerman.github.io#

If your egress blocks raw GitHub but allows github.io, the landing page at ericzimmerman.github.io lists every tool with a direct zip link. Download, unzip, run.

3. KAPE bundle#

KAPE ships AmcacheParser inside Modules\bin after you run Get-KAPEUpdate.ps1. You don't download separately. It lands as a dependency of the AmcacheParser module. Right path if you already use KAPE for collection.

4. Velociraptor artefact#

Velociraptor's Windows.Forensics.Amcache artefact downloads AmcacheParser the first time it runs and caches it on the endpoint under Tools. Configure the source URL once in the server's Tools settings. Every hunt that needs it pulls from your cache.

Verifying the download#

Eric does not currently publish detached signatures. The practical path:

  1. TLS pinning to github.io / github.com. Non-negotiable. Do not pull AmcacheParser over plain HTTP from a random mirror.
  2. Record the SHA-256 of the archive on first download, store it in your internal artefact registry, compare every subsequent pull against the stored value.
# Record the hash on first download
Get-FileHash -Algorithm SHA256 '.\AmcacheParser.zip' |
  Format-List Algorithm, Hash, Path

If your organisation operates an internal package mirror (Artifactory, Nexus, a Git-LFS bucket), the standard pattern:

  • Download once over the open internet on a clean build host.
  • Hash, sign with your internal signing key, upload to the mirror.
  • Every analyst workstation pulls from the signed internal mirror.

That way an analyst at 02:00 on a P1 never has to make a trust decision about a random mirror under time pressure.

System requirements#

Component Requirement
OS (native) Windows 10 / 11 / Server 2016+
OS (cross-platform) Linux / macOS via dotnet AmcacheParser.dll
Runtime .NET 6 or .NET 9 (matching the build)
RAM ~200 MB per parse; much less for typical hives
Disk Negligible (CSV output is normally <50 MB per host)

Eric publishes both framework-dependent and self-contained builds. Framework-dependent is ~2 MB but needs the .NET runtime installed. Self-contained is ~80 MB and runs on a host with no .NET. Pick self-contained for triage USB sticks.

Air-gapped install pattern#

For labs with no internet egress:

  1. On an internet-connected build host, run Get-ZimmermanTools.ps1 -Dest .\offline -NetVersion 6.
  2. Add the self-contained AmcacheParser archive from ericzimmerman.github.io so analysts on hosts without .NET still work.
  3. Zip the offline\ directory along with the !!!RemoteFileDetails.csv manifest. Hash the zip.
  4. Transfer across the air gap on labelled removable media or through a one-way diode.
  5. On the air-gapped side, verify the hash against the manifest before extracting.

Repeat on a defined cadence (monthly is typical) so the offline lab does not drift more than a release behind the public build.

A no-install alternative for triage#

If "install AmcacheParser" is itself the blocker (locked-down kiosk, non-Windows analyst laptop, classroom of students), the parser hosted on this site is a re-implementation of the read path in Rust + WebAssembly. Drop a hive on the home page and you get the same categories and fields without installing anything. The file is parsed entirely in your browser. Nothing is uploaded.

The browser version covers triage and education. For full investigations on a Windows analyst workstation, use Eric's official AmcacheParser.exe. It's the canonical implementation and produces the CSV format every downstream tool expects.

Further reading#

Related posts

Back to all posts