Is KeyLastWriteTimestamp the time the binary first appeared on the host?

Not exactly. It is the time the appraiser most recently wrote the entry. For a binary first inventoried in this hive, it is the first-inventory time. For an entry whose metadata changed, it advances to the update time. It is an upper bound for 'first present on disk'.

What's the resolution of KeyLastWriteTimestamp?

Second-precision. Do not draw conclusions from sub-second differences.

How does KeyLastWriteTimestamp differ from LinkDate?

KeyLastWriteTimestamp is when the appraiser wrote about the file (host-side, attacker-uncontrollable). LinkDate is when the compiler stamped the PE header at link time (attacker-controllable). They answer completely different questions.

Can the same entry's KeyLastWriteTimestamp change over time?

Yes. If the file's metadata (size, hash, version) changes between appraiser runs, the appraiser rewrites the entry and the timestamp advances. If nothing changes, the timestamp stays put even when later appraiser passes confirm the file is still present.

What's the standard pivot for KeyLastWriteTimestamp?

Take the timestamp, define a one-hour window centred on it, and join all other Amcache rows, Prefetch entries, Sysmon 1/7/11 events, and Security 4688 events from that window. That join gives you the full picture of what happened around the inventory event.

What is KeyLastWriteTimestamp in Amcache? (glossary)

KeyLastWriteTimestamp is the registry-level last-write time of the key containing an Amcache inventory entry. It is the closest thing Amcache exposes to a "when was this file recorded?" timestamp. AmcacheParser surfaces it as a column in every per-category CSV.

It is the single most important timestamp in Amcache — and the one new analysts most often confuse with LinkDate (the PE compile time), which is a completely different field that means a completely different thing.

What it represents#

The registry stores a last-write time for every key — metadata maintained by Windows itself. When the Compatibility Appraiser writes or updates an inventory entry, Windows updates the key's last-write time. AmcacheParser reads that field as KeyLastWriteTimestamp.

Practically:

First-appearance entries → KeyLastWriteTimestamp is the appraiser-run time after the file was first noticed.
Updated entries → advances to the most recent metadata change (file got larger, version string changed, hash changed).
Unchanged entries → stays put even when subsequent appraiser passes confirm the file is still there.

That last point matters: it is not "the most recent time the appraiser saw this file" — it is "the most recent time the appraiser wrote about this file."

Common confusions#

Question	Right field
"When did the appraiser record this file?"	KeyLastWriteTimestamp
"When was the binary compiled?"	LinkDate
"When was the file created on disk?"	MFT `$STANDARD_INFORMATION.CreationTime`
"When did the binary run?"	Prefetch run timestamps

The standard time-window pivot#

For any suspicious row:

Take its KeyLastWriteTimestamp.
Define a one-hour window centred on it.
Pull from that window: other Amcache rows, Prefetch entries, Sysmon 1 / 7 / 11, Security 4688, MFT and USN journal.

The resulting timeline is the canonical "what was happening around this inventory event?" reconstruction.

For full coverage, see Amcache timestamps explained.

LinkDate — the timestamp it is most often confused with.
Compatibility Appraiser — what writes the value.
InventoryApplicationFile — where the entries live.

What is KeyLastWriteTimestamp in Amcache? (glossary)

What it represents#

Common confusions#

The standard time-window pivot#

Related terms#

Related posts