AmcacheParser download guide: official sources, mirrors, and verification
This is the practical guide to getting AmcacheParser onto an analyst workstation. Full internet access, restricted proxy, or fully air-gapped lab. For background on the tool, see the AmcacheParser complete guide.
Download from a source you can verify. Eric Zimmerman's tools are widely mirrored and just as widely typo-squatted. The official sources are
ericzimmerman.github.ioandgithub.com/EricZimmerman. Anything else, verify before you run.
Official sources#
1. Get-ZimmermanTools.ps1 (recommended for analysts)#
The installer keeps the whole suite, AmcacheParser included, up to date with one command. Downloads only the framework-dependent .NET builds, keeping the footprint small.
# Run from elevated PowerShell
New-Item -ItemType Directory -Path 'C:\Tools\ZTools' -Force | Out-Null
Set-Location 'C:\Tools\ZTools'
Invoke-WebRequest `
-Uri 'https://raw.githubusercontent.com/EricZimmerman/Get-ZimmermanTools/master/Get-ZimmermanTools.ps1' `
-OutFile 'Get-ZimmermanTools.ps1'
# .NET 6 build (works on Server 2019+ without extra setup)
.\Get-ZimmermanTools.ps1 -Dest 'C:\Tools\ZTools' -NetVersion 6After it finishes:
C:\Tools\ZTools\
└── net6\
└── AmcacheParser\
├── AmcacheParser.exe
├── AmcacheParser.dll
└── ... (.NET runtime deps)
Re-run weekly (or via a scheduled task) to stay current. The script writes a !!!RemoteFileDetails.csv next to itself with the SHA-1 of every downloaded archive. Useful chain-of-custody evidence if you're publishing your own internal mirror.
2. Direct download from ericzimmerman.github.io#
If your egress blocks raw GitHub but allows github.io, the landing page at ericzimmerman.github.io lists every tool with a direct zip link. Download, unzip, run.
3. KAPE bundle#
KAPE ships AmcacheParser inside Modules\bin after you run Get-KAPEUpdate.ps1. You don't download separately. It lands as a dependency of the AmcacheParser module. Right path if you already use KAPE for collection.
4. Velociraptor artefact#
Velociraptor's Windows.Forensics.Amcache artefact downloads AmcacheParser the first time it runs and caches it on the endpoint under Tools. Configure the source URL once in the server's Tools settings. Every hunt that needs it pulls from your cache.
Verifying the download#
Eric does not currently publish detached signatures. The practical path:
- TLS pinning to
github.io/github.com. Non-negotiable. Do not pull AmcacheParser over plain HTTP from a random mirror. - Record the SHA-256 of the archive on first download, store it in your internal artefact registry, compare every subsequent pull against the stored value.
# Record the hash on first download
Get-FileHash -Algorithm SHA256 '.\AmcacheParser.zip' |
Format-List Algorithm, Hash, PathIf your organisation operates an internal package mirror (Artifactory, Nexus, a Git-LFS bucket), the standard pattern:
- Download once over the open internet on a clean build host.
- Hash, sign with your internal signing key, upload to the mirror.
- Every analyst workstation pulls from the signed internal mirror.
That way an analyst at 02:00 on a P1 never has to make a trust decision about a random mirror under time pressure.
System requirements#
| Component | Requirement |
|---|---|
| OS (native) | Windows 10 / 11 / Server 2016+ |
| OS (cross-platform) | Linux / macOS via dotnet AmcacheParser.dll |
| Runtime | .NET 6 or .NET 9 (matching the build) |
| RAM | ~200 MB per parse; much less for typical hives |
| Disk | Negligible (CSV output is normally <50 MB per host) |
Eric publishes both framework-dependent and self-contained builds. Framework-dependent is ~2 MB but needs the .NET runtime installed. Self-contained is ~80 MB and runs on a host with no .NET. Pick self-contained for triage USB sticks.
Air-gapped install pattern#
For labs with no internet egress:
- On an internet-connected build host, run
Get-ZimmermanTools.ps1 -Dest .\offline -NetVersion 6. - Add the self-contained AmcacheParser archive from
ericzimmerman.github.ioso analysts on hosts without .NET still work. - Zip the
offline\directory along with the!!!RemoteFileDetails.csvmanifest. Hash the zip. - Transfer across the air gap on labelled removable media or through a one-way diode.
- On the air-gapped side, verify the hash against the manifest before extracting.
Repeat on a defined cadence (monthly is typical) so the offline lab does not drift more than a release behind the public build.
A no-install alternative for triage#
If "install AmcacheParser" is itself the blocker (locked-down kiosk, non-Windows analyst laptop, classroom of students), the parser hosted on this site is a re-implementation of the read path in Rust + WebAssembly. Drop a hive on the home page and you get the same categories and fields without installing anything. The file is parsed entirely in your browser. Nothing is uploaded.
The browser version covers triage and education. For full investigations on a Windows analyst workstation, use Eric's official AmcacheParser.exe. It's the canonical implementation and produces the CSV format every downstream tool expects.
Further reading#
- The Get-ZimmermanTools GitHub repository for installer details.
- KAPE documentation.
- Velociraptor documentation for the
Windows.Forensics.Amcacheartefact.
Related#
Related posts
- AmcacheParser output columns explained: every CSV field decoded
Field-by-field reference for AmcacheParser's CSV output. FileId, PathHash, ProgramId, LinkDate, BinFileVersion, IsPeFile, and every other column, with the pivots that matter.
- AmcacheParser: the complete guide to Eric Zimmerman's tool
The reference for AmcacheParser. What it does, how to install and run it, how to read the CSVs, and when the browser parser is the better tool for the moment.
- AmcacheParser CLI cheatsheet: every flag, with worked examples
Copy-paste reference for AmcacheParser.exe. Every flag explained. KAPE, Velociraptor, and PowerShell batch patterns you can use directly.
- Amcache parsers compared: AmcacheParser CLI, browser tool, Volatility, RegRipper
Four mature parsers for Amcache.hve. Same hive, different workflows. The decision rule comes down to install footprint, batchability, and where each one wins.