Who created AmcacheParser?
AmcacheParser was created by Eric Zimmerman, a former FBI special agent and current Senior Director at Kroll. He maintains it as part of his free, open-source DFIR tool suite published at ericzimmerman.github.io.
Eric has been publishing forensic tools for over a decade. His suite — usually referred to as the "Zimmerman tools" or "Get-ZimmermanTools" — is the de-facto standard Windows DFIR toolset.
Eric Zimmerman's background#
- Former FBI Special Agent specialising in digital forensics.
- Currently Senior Director at Kroll, where he leads tooling for the firm's incident-response practice.
- SANS instructor for FOR498 (Battlefield Forensics) and contributor to FOR500 (Windows Forensic Analysis). The SANS DFIR curriculum makes extensive use of his toolset.
- Author of many DFIR community contributions including blog posts, conference talks, and the EZTools maintenance.
The Zimmerman tool suite#
AmcacheParser is one of about a dozen tools Eric maintains:
| Tool | Parses |
|---|---|
| AmcacheParser | Amcache.hve |
| MFTECmd | $MFT, $LogFile, $J, $Boot, $SDS |
| RECmd | Any registry hive (batch processor) |
| RBCmd | Recycle Bin ($I* files) |
| PECmd | Windows Prefetch |
| EvtxECmd | Windows Event Logs (.evtx) |
| JLECmd | Jump Lists |
| LECmd | Windows LNK files |
| SBECmd | Shellbags |
| AppCompatCacheParser | ShimCache |
| SrumECmd | SRUM (SRUDB.dat) |
All MIT-licensed. All free for commercial use. All produce structured CSV that loads cleanly into Eric's companion Timeline Explorer GUI.
How to install the suite#
Use the official Get-ZimmermanTools.ps1 installer:
mkdir C:\Tools\ZTools
cd C:\Tools\ZTools
Invoke-WebRequest `
-Uri 'https://raw.githubusercontent.com/EricZimmerman/Get-ZimmermanTools/master/Get-ZimmermanTools.ps1' `
-OutFile Get-ZimmermanTools.ps1
.\Get-ZimmermanTools.ps1 -Dest C:\Tools\ZTools -NetVersion 6This downloads the entire suite, including AmcacheParser, into
C:\Tools\ZTools. Re-run periodically to stay current. For
verification patterns and mirror configuration, see the
AmcacheParser download guide.
Is this site (amcacheparser.com) Eric's?#
No. The browser-based parser hosted at amcacheparser.com is an independent project. It is an in-browser re-implementation of the Amcache read path in Rust + WebAssembly, designed for triage and education. It is not affiliated with Eric or Kroll.
We credit Eric throughout the documentation because his work on
the original AmcacheParser.exe and his publication of the
Amcache schema knowledge are what made any of this possible.
Related#
- AmcacheParser complete guide — the canonical tool reference.
- Is AmcacheParser free?
- AmcacheParser download guide
Related posts
- Is AmcacheParser free?
Yes. AmcacheParser is free for any use including commercial DFIR work, published under a permissive license by Eric Zimmerman.
- Why is my Amcache.hve empty?
Three common causes: the Compatibility Appraiser is disabled, the host is freshly imaged, or you're collecting from a Server / Server Core where the appraiser runs much less often.
- Where is the Amcache registry key?
Amcache is its own hive file at C:\Windows\AppCompat\Programs\Amcache.hve — not a key under HKLM. When loaded by tools or by Windows itself it mounts as HKLM\Amcache.
- What does Amcache.hve contain?
Amcache.hve contains inventory records for every PE binary, driver, and connected device the Windows Compatibility Appraiser has seen — with SHA-1 hashes, paths, publishers, and timestamps.