AmcacheParser download guide: official sources, mirrors, and verification

This is the practical guide to getting AmcacheParser onto an analyst workstation, whether you have full internet access, a restricted proxy, or a fully air-gapped lab. For background on what the tool does, see the AmcacheParser complete guide.

Always download from a source you can verify. Eric Zimmerman's tools are widely mirrored and just as widely typo-squatted. The official sources are ericzimmerman.github.io and github.com/EricZimmerman. Anything else — verify before you run.

Official download sources#

1. Get-ZimmermanTools.ps1 (recommended for analysts)#

The installer script keeps the whole suite — AmcacheParser included — up to date with one command. It downloads only the framework-dependent .NET builds, which keeps the footprint small.

# Run from an elevated PowerShell prompt
New-Item -ItemType Directory -Path 'C:\Tools\ZTools' -Force | Out-Null
Set-Location 'C:\Tools\ZTools'
 
Invoke-WebRequest `
  -Uri 'https://raw.githubusercontent.com/EricZimmerman/Get-ZimmermanTools/master/Get-ZimmermanTools.ps1' `
  -OutFile 'Get-ZimmermanTools.ps1'
 
# Pull the .NET 6 builds (works on Windows Server 2019+ without extra setup)
.\Get-ZimmermanTools.ps1 -Dest 'C:\Tools\ZTools' -NetVersion 6

After it finishes you will have:

C:\Tools\ZTools\
└── net6\
    └── AmcacheParser\
        ├── AmcacheParser.exe
        ├── AmcacheParser.dll
        └── ... (.NET runtime deps)

Re-run the script weekly (or via a scheduled task) to stay current. The script also writes a !!!RemoteFileDetails.csv next to itself with the SHA-1 of every downloaded archive — useful evidence for chain of custody if you are publishing your own internal mirror.

2. Direct download from ericzimmerman.github.io#

If your egress policy blocks raw GitHub but allows github.io, the landing page at ericzimmerman.github.io lists every tool with a direct zip link. Download, unzip, and AmcacheParser.exe runs in place.

3. KAPE bundle#

KAPE ships AmcacheParser inside its Modules\bin directory after you run Get-KAPEUpdate.ps1. You do not download AmcacheParser separately — it lands as a dependency of the AmcacheParser module. This is the right path if you already standardise on KAPE for collection.

4. Velociraptor artifact#

Velociraptor's Windows.Forensics.Amcache artifact downloads AmcacheParser the first time it runs and caches it on the endpoint under Tools. You configure the source URL once in the server's Tools settings; thereafter, every hunt that needs it pulls from your cache.

Verifying the download#

Eric does not currently publish detached signatures, so the practical verification path is:

1. TLS pinning to github.io / github.com — non-negotiable. Do not pull AmcacheParser over plain HTTP from a random mirror.
2. Record the SHA-256 of the archive on first download, store it in your internal artifact registry, and compare every subsequent pull against the stored value.

# Record the hash the first time
Get-FileHash -Algorithm SHA256 '.\AmcacheParser.zip' |
  Format-List Algorithm, Hash, Path

If your organisation operates an internal package mirror (Artifactory, Nexus, a Git-LFS bucket), the standard pattern is:

• Download once over the open internet on a clean build host.
• Hash, sign with your internal signing key, and upload to the mirror.
• Have every analyst workstation pull from the signed internal mirror.

That way an analyst at 02:00 on a P1 never has to make a trust decision about a random mirror under time pressure.

System requirements#

Eric publishes both framework-dependent and self-contained builds. The framework-dependent build is ~2 MB but requires the .NET runtime to be installed. The self-contained build is ~80 MB and runs on a host with no .NET installed — pick this one for triage USB sticks.

Air-gapped install pattern#

For labs with no internet egress:

1. On an internet-connected build host, run Get-ZimmermanTools.ps1 -Dest .\offline -NetVersion 6.
2. Add the self-contained AmcacheParser archive from ericzimmerman.github.io so analysts on hosts without .NET still work.
3. Zip the offline\ directory along with the !!!RemoteFileDetails.csv manifest. Hash the zip.
4. Transfer the zip across the air gap on labelled removable media or through your one-way diode.
5. On the air-gapped side, verify the hash against the manifest before extracting.

Repeat the procedure on a defined cadence (monthly is typical) so your offline lab does not drift more than a release behind the public build.

A no-install alternative for triage#

If "install AmcacheParser" is itself the blocker — locked-down kiosk, non-Windows analyst laptop, classroom of students — the parser hosted on this site is a re-implementation of the read path in Rust + WebAssembly. Drop a hive on the home page and you get the same categories and fields without installing anything. The file is parsed entirely in your browser; nothing is uploaded.

The browser version covers triage and education. For full investigations on a Windows analyst workstation, use Eric's official AmcacheParser.exe — it is the canonical implementation and produces the CSV format every downstream tool expects.

See also#

• AmcacheParser complete guide — the canonical reference for the tool.
• AmcacheParser CLI cheatsheet — every flag, with worked examples.
• AmcacheParser output columns explained — what each CSV column means.
• Understanding Amcache for Windows forensics — what the hive records and why it matters.