AmcacheParser output columns explained: every CSV field decoded

AmcacheParser writes one CSV per Inventory* category. Most analysts spend 90% of their time in two of those files (*_UnassociatedFileEntries.csv and *_AssociatedFileEntries.csv), but every column in every file is potentially useful. This is the reference for what each one means.

For the broader context on the tool, see the AmcacheParser complete guide.

The seven CSVs#

After a typical run with --csv .\out:

File Source key Typical row count
*_AssociatedFileEntries.csv Root\InventoryApplicationFile linked to an InventoryApplication Hundreds to low thousands
*_UnassociatedFileEntries.csv Root\InventoryApplicationFile with no parent app Hundreds to thousands
*_ProgramEntries.csv Root\Programs (legacy installed-software list) Low hundreds
*_ShortcutEntries.csv Root\InventoryApplicationShortcut Tens
*_DriverBinaries.csv Root\InventoryDriverBinary Hundreds
*_DevicePnps.csv Root\InventoryDevicePnp Hundreds
*_DeviceContainers.csv Root\InventoryDeviceContainer Tens

The Unassociated file is what most analysts pivot on first. Ad-hoc downloaded binaries, attacker tooling, one-off scripts land there because they were never installed through a registered product.

File-entry columns (Associated / Unassociated)#

The two file-entry CSVs share the same schema. Columns you use on nearly every case.

Identity and path#

Column Meaning Notes
ApplicationName Display name resolved by Windows Often blank for unassociated entries.
ProgramId 44-char Windows program identity Pivot to Root\InventoryApplication to find the installed-product record.
FileId "0000" + SHA-1 of the first 31 MiB Strip the prefix for VT / TI lookups.
Hash Convenience copy of the SHA-1 without prefix Use this column, not FileId, when joining against external hash feeds.
Name File name only kernel32.dll, mimikatz.exe, etc.
FullPath Full path at inventory time If it contains \Users\ or \AppData\ and Publisher is blank, look closely.
Publisher Publisher from PE signature / resource Empty for unsigned binaries.
PublisherName Friendlier display name Sometimes populated when Publisher is the X.509 CN.
BinaryType Architecture (pe32, pe64, pe32_arm, ...) Useful when filtering for native vs managed PE.

Timestamps#

Amcache is a goldmine of timestamps, but they mean different things. Get this distinction right or you misdate findings.

Column What it is Don't confuse with
KeyLastWriteTimestamp Registry last-write of the containing key "When the file was inventoried". Closest thing to a real "Amcache time".
LinkDate PE header TimeDateStamp set at compile/link time "When the file was created". Set by the compiler. Attacker-controlled. Frequently faked.
BinFileVersion / ProductVersion Version strings from PE resource Not timestamps.
LastModified Some Amcache schemas expose a last-modified FILETIME Not in every schema version. Treat as best-effort.

The right "when" pivot for Amcache is KeyLastWriteTimestamp. LinkDate is fantastic for grouping binaries (everything the attacker compiled on the same day clusters together) but is not a "binary was placed on this host at this time" signal.

Version / metadata#

Column Meaning
BinFileVersion PE VS_FIXEDFILEINFO.dwFileVersion
BinProductVersion PE VS_FIXEDFILEINFO.dwProductVersion
ProductName PE resource ProductName
ProductVersion PE resource ProductVersion (string form)
FileVersionString PE resource FileVersion
Language PE resource language ID
Size File size in bytes

Flags#

Column Meaning Default filter
IsPeFile True if Amcache classified the file as PE Filter to True when hunting executable artefacts.
IsOsComponent True if the file belongs to Windows itself Filter to False unless -i was passed. OS components are noisy.

Lifecycle / inventory metadata#

Column Meaning
Usn USN journal entry tied to the file at inventory time
Description Free-form description, often from the PE resource
LongPathHash Hash Amcache uses internally for path dedup
MsiInstallDate When the parent MSI was installed (if any)
MsiPackageCode MSI package GUID

ProgramEntries.csv (legacy Programs key)#

The legacy Root\Programs key predates the Inventory* schema. Sparser. Columns most often used:

Column Meaning
ProgramId Same 44-char identity used in file-entry CSVs
LastWriteTimestamp Registry last-write of the entry
Name Program display name
Version Program version
Publisher Publisher string
InstallDate Install date (FILETIME → ISO-8601)
LanguageCode LCID
InstallSource Source path (CD, network share, downloads folder)
UninstallString Command-line that would uninstall the program
RootDirPath Install directory
Source MSI, AddRemoveProgram, etc.

InstallSource is the secret weapon here. Sometimes records the network share or download URL the installer was pulled from. Invaluable for supply-chain or social-engineering intrusions.

DriverBinaries.csv#

For kernel-mode artefacts. Columns:

Column Meaning
KeyLastWriteTimestamp Inventory time
DriverName Driver file name
Inf Source .inf
DriverVersion Driver version string
Product Product name from the driver's PE resource
ProductVersion Product version
WdfVersion Windows Driver Framework version
DriverCompany Company string
DriverPackageStrongName Strong name
Service Associated service name
DriverSigned Whether the driver claimed to be signed
DriverIsKernelMode True for kernel-mode drivers
DriverType legacy, pnp, service, ...
DriverTimeStamp PE link date of the driver
Hash SHA-1 of the driver binary

For BYOVD (Bring-Your-Own-Vulnerable-Driver), sort by DriverTimeStamp and look for old-but-signed drivers that appeared recently on the host.

DeviceContainers.csv#

Connected-device history. Most relevant columns:

Column Meaning
KeyLastWriteTimestamp When the device record was last touched
Categories Device categories (printer, display, network, ...)
DiscoveryMethod How Windows enumerated the device
FriendlyName "Brother HL-L2350DW", "Logitech BRIO", ...
Manufacturer Vendor string
ModelName / ModelNumber Model identifiers
IsConnected Currently-connected flag at inventory
IsPaired Paired (Bluetooth, etc.)
Icon Path to the device icon resource

Often the answer to "did device X ever connect to this host?" without wading through Setup logs.

DevicePnps.csv#

PnP enumeration records, one row per device interface:

Column Meaning
KeyLastWriteTimestamp When the PnP record was last touched
BusReportedDescription What the device told Windows it was
DeviceClass Driver class GUID
DeviceId / InstanceId PnP instance identifier
Manufacturer Vendor string
Service Driver service
DriverName Driver file backing the device

Pair InstanceId here with the matching row in DeviceContainers.csv to get user-facing name and technical IDs together.

ShortcutEntries.csv#

Each Start menu / pinned shortcut Windows knows about, with the corresponding ProgramId and inventory timestamp. Less used in incident response. Handy for "what did the user have pinned on $DATE" questions. Pair with LNK parser and jump list output for completeness.

Pivots that earn their keep#

Cross-column patterns that come up over and over.

  1. Hash everywhere. Take Hash from *_UnassociatedFileEntries.csv and grep across *_AssociatedFileEntries.csv, the host's Prefetch CSV, and Sysmon 1/7 events. A binary in Amcache but never in Prefetch is "present but never executed". A very different finding from "executed".
  2. Publisher blank + path under \Users\. The single most productive triage filter on a typical commodity-malware investigation.
  3. LinkDate clustering. Sort all unassociated PE entries by LinkDate and look for tight clusters of 3-10 binaries with the same compile day. Often a single attacker tool drop.
  4. InstallSource URLs in ProgramEntries. Whenever you see a suspicious program, check InstallSource. Often points directly at the delivery vector.
  5. KeyLastWriteTimestamp window join. Join all CSVs on a one-hour window around the suspected initial-access time and you get the full picture of what Windows inventoried during the intrusion.

Further reading#

Related posts

Back to all posts