Amcache: the complete Windows .hve forensics reference

TL;DR. Amcache is the Windows registry hive (Amcache.hve) the Microsoft Compatibility Appraiser writes. It records every PE the appraiser saw on disk, with SHA-1, full path, publisher, PE link date, and the appraiser's write time. Analysts use it to prove a binary was present (not necessarily executed), pivot on hash across hosts, and recover evidence of deleted attacker tools.

Amcache.hve is the hive that answers a question no other Windows artefact answers cleanly: "has this executable ever been present on this host, and with what SHA-1, at what path, around when?"

This page is the reference to the artefact: what it is, where it lives, how Windows produces it, what each top-level key holds, how to use it in an investigation, and how it relates to neighbouring artefacts. For coverage of parsing tools, see the AmcacheParser complete guide. For the short version, see Understanding Amcache.

At a glance vs the neighbours#

Artefact What it proves Hash Path Capacity Source
Amcache.hve Binary was present on host SHA-1 (first 31 MiB) Full Thousands Compatibility Appraiser
Shimcache Loader-seen None Full ~1024 (LRU) Application Compatibility loader
Prefetch Executed None Full ~1024 .pf files Windows Prefetcher
SRUM Consumed resources, 30-60 days None Full App-level rollups System Resource Usage Monitor
Security 4688 (EVTX) Process created (real-time) None Full Bounded by log rollover Audit subsystem

Rule of thumb: Amcache for presence and hash. Shimcache for the loader's recent attention. Prefetch for execution. SRUM for usage over time. 4688 for the real-time event. Detail per pairing: Amcache vs Shimcache, Amcache vs Prefetch, Amcache vs SRUM, Amcache vs AppCompatCache.

What Amcache actually is#

A registry hive. Same binary format as SYSTEM, SOFTWARE, SAM, SECURITY, and NTUSER.DAT. Not a log file, not a database, not a flat list. A key/value tree with typed values. The structure is what makes it both rich and slightly painful to read by hand.

The hive is populated by the Microsoft Compatibility Appraiser, a scheduled task at \Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser. The appraiser scans the system for installed and present software, gathers PE-header metadata, and writes structured inventory records into the hive. Roughly daily on Windows 10 / 11 workstations, several days on Server, weekly or longer on Server Core.

The appraiser was originally part of the Customer Experience Improvement Program (CEIP). The forensic value of Amcache is, in a sense, an accident: the appraiser needed a local inventory to know what to send Microsoft, and that local inventory is what analysts pivot on.

Why analysts care#

Three properties make Amcache extraordinary:

  1. It survives deletion. A wiper removes the file from disk; the inventory snapshot remains in the hive. Often for months. Transaction logs frequently preserve entries the live hive lost too.
  2. It pre-hashes the binary. SHA-1 of the first 31 MiB at inventory time. Even if you no longer have the binary, you have a hash to submit to VirusTotal, TI feeds, internal allowlists.
  3. It records the path. Where the binary lived on disk is often the whole story. \Users\<name>\AppData\Local\Temp\svchost.exe is its own indictment.

Where Amcache lives#

C:\Windows\AppCompat\Programs\Amcache.hve
C:\Windows\AppCompat\Programs\Amcache.hve.LOG1
C:\Windows\AppCompat\Programs\Amcache.hve.LOG2

.LOG1 and .LOG2 are the hive's transaction logs. Always collect all three. Take only the hive and you can silently miss the most recent writes that are still buffered in the logs.

For the long-form location and collection reference, see Where Amcache.hve is on disk.

Schema history#

A small but messy history:

  • Windows 7 / Server 2008 R2: RecentFileCache.bcf, a flat binary, much sparser. Not Amcache.
  • Windows 8 / 8.1: Amcache.hve arrives in hive form with Root\File and Root\Programs keys (legacy schema).
  • Windows 10 build 1709 (Fall Creators Update, 2017): Root\InventoryApplicationFile and the wider Inventory* family arrive (modern schema).
  • Windows 11: Continues the Windows 10 schema, with minor additions, more granular driver / device records.

Modern analysis works against the modern Inventory* schema. The legacy keys remain on some builds and are worth checking on old systems and on hosts where the appraiser has been disabled. Version specifics: Amcache on Windows 11 and 10, Amcache on Windows Server.

Hive structure#

On a modern Windows 11 hive, Root contains:

Root\
├── InventoryApplication
├── InventoryApplicationDriver
├── InventoryApplicationFile
├── InventoryApplicationFramework
├── InventoryApplicationShortcut
├── InventoryDeviceContainer
├── InventoryDeviceInterface
├── InventoryDevicePnp
├── InventoryDriverBinary
├── InventoryDriverPackage
├── InventoryMiscellaneousUUPInfo
├── File             (legacy)
└── Programs         (legacy)

The five keys you touch on most cases:

Key What it records
InventoryApplicationFile Every PE the appraiser inventoried. Full path, SHA-1, link date, publisher, version. The richest single source.
InventoryApplication Installed applications. Parent of file records via ProgramId.
InventoryDriverBinary Every driver binary loaded, with signed/kernel-mode flags. Critical for BYOVD.
InventoryDeviceContainer Friendly-name device records: printers, displays, removable media.
InventoryDevicePnp PnP enumeration records, one per device interface. Joins to DeviceContainer via InstanceId.

For the full key-by-key tour, see Amcache registry structure.

Schema versioning#

The schema has shifted multiple times across Windows 10's life. New value names appear, old ones change type or disappear. This is why a generic registry viewer is a poor fit: values are correct but unlabelled, and you spend more time cross-referencing blog posts than analysing. Use a purpose-built parser (AmcacheParser, this site's browser parser, or RegRipper's amcache plugin) and let the tool track schema for you.

The fields that earn their keep#

A handful of values per entry carry 90% of the investigative weight.

FileId#

The 41-character string "0000" + sha1_hex. The leading "0000" is a historical type tag. The trailing 40 hex characters are the SHA-1 of the first 31 MiB. Strip the prefix before submitting to VirusTotal. AmcacheParser does this for you in the Hash column.

Two traps:

  • The hash covers only the first 31 MiB. For installers and large binaries it is a prefix hash, not a full-content hash. Below 31 MiB the prefix hash equals the standard SHA-1.
  • VirusTotal returns an empty result if you include the "0000" prefix, and the empty result looks identical to "unknown hash". Misleading.

Full coverage: Amcache FileId explained.

ProgramId#

A 44-character identity hash Windows assigns to a logical application, derived from name, publisher, version, and language. Joins a file in InventoryApplicationFile to its parent application in InventoryApplication. Stable across hosts for the same install. Useful for cross-host pivots.

Full coverage: Amcache ProgramId explained.

Timestamps#

Amcache exposes multiple distinct timestamps. Confusing them is the #1 mistake new analysts make:

Field What it represents
KeyLastWriteTimestamp Registry last-write of the containing key. Closest thing to "when Amcache recorded this".
LinkDate PE TimeDateStamp. When the binary was compiled. Attacker-controlled. Do not treat as presence time.
LastModified (when present) Inventory-side last-modified marker. Not in every schema.
MsiInstallDate When the parent MSI was installed (if any).

The right pivot for "when did this binary appear on this host?" is KeyLastWriteTimestamp. See Amcache timestamps explained.

Path, publisher, IsPeFile#

The triage filter that does most of the work:

IsPeFile = True AND Publisher empty AND FullPath under \Users\, \AppData\, \ProgramData\, or \Temp\.

Applied to InventoryApplicationFile, this surfaces the vast majority of commodity-malware artefacts on a typical infected host. Plenty of false positives (portable apps, dev tools, custom scripts) but it is a triage filter, not a detection rule.

What Amcache is not#

Three persistent misconceptions that produce wrong findings:

Not "proof of execution"#

A binary in Amcache means the appraiser saw the file at inventory time. The appraiser inventories based on path, not based on whether the binary ran. A binary can appear in Amcache without ever having executed.

For execution: Prefetch (strongest), Sysmon 1, Security 4688, Shimcache as corroboration, SRUM for longer-window correlation. See Amcache vs Prefetch and Amcache vs Shimcache.

Not complete#

The appraiser misses things:

  • Files outside the paths it scans.
  • Files that came and went between appraiser runs (transient drops).
  • Files on hardened hosts where the appraiser is disabled.
  • On older Windows builds, files outside the legacy Programs / File scope.

Absence from Amcache is not evidence the binary was never present. It is evidence the appraiser did not see it.

Not tamper-evident#

The hive lives on disk in a known location. Admin can edit it, delete it, or stop the appraiser's schedule. Uncommon in commodity intrusions (the noise rarely beats the value) but possible. Treat Amcache as one signal among many, not as ground truth. See Can Amcache be cleared?.

Using Amcache in an investigation#

The standard loop on a Windows intrusion:

  1. Collect: Amcache.hve + Amcache.hve.LOG1 + Amcache.hve.LOG2. KAPE's Amcache target does this in one command. Velociraptor's Windows.Forensics.Amcache does it remotely.
  2. Parse: AmcacheParser with --mp to recover orphaned entries.
  3. Triage filter: unsigned PE in user-writable path against *_UnassociatedFileEntries.csv. Typically tens of rows on an infected host.
  4. Pivot: SHA-1 against VirusTotal, TI feed, historical detections. FullPath against the filesystem timeline and Prefetch.
  5. Corroborate execution: Prefetch (definitive), Sysmon 1 / 7 (process and image load), Security 4688.
  6. Time-bound: KeyLastWriteTimestamp ± 1h. Pull all events, MFT / USN entries, and registry writes from that window.

The last step is the one most analysts skip and most reports need. A finding sourced from Amcache plus Prefetch plus a 4688 is reportable. A finding from Amcache alone gets the caveat "evidence of file presence, execution not corroborated".

For specific scenarios:

Tooling#

Tool Best for
Eric Zimmerman's AmcacheParser Production DFIR on a Windows workstation. The canonical implementation.
Browser parser Triage, education, non-Windows analysts, locked-down hosts. WebAssembly, no upload.
RegRipper amcache plugin Quick interactive analysis as part of a broader RegRipper sweep.
Volatility plugins Pulling the hive from a memory image, then handing to AmcacheParser.

For the practical "which one right now" question: AmcacheParser for the investigation, the browser parser for triage or a fast look without installing anything.

FAQ#

How big is Amcache.hve typically?#

2-25 MB on a Windows 11 workstation. 50+ MB on dev machines or busy servers. Transaction logs are small, usually under 1 MB each.

How far back?#

Months to years on long-running workstations. The hive does not actively purge entries while the binary is still recognisable. Once a binary is removed and the appraiser has had several passes to notice, the entry typically ages out (but not always).

Does Amcache record DLLs?#

Yes, on Windows 10 build 1709 and later. Both EXEs and DLLs classified as PE.

Does Amcache record scripts?#

No for .ps1, .bat, .vbs, .js. Amcache is PE-only. Script execution evidence comes from PowerShell operational logs, AMSI, Sysmon, or Prefetch entries for cscript.exe / wscript.exe.

Amcache vs Shimcache?#

Different artefacts despite both being in the Application Compatibility infrastructure. Shimcache (AppCompatCache in SYSTEM) is loader-maintained, capped at 1024 entries, no hash. Amcache is appraiser-maintained, effectively unbounded, with SHA-1 and richer metadata. See Amcache vs Shimcache.

Linux / macOS?#

dotnet AmcacheParser.dll with the .NET runtime, or the browser parser which runs anywhere with a modern browser. See How to read Amcache.hve on Linux.

Court admissibility?#

Depends on jurisdiction and collection. Amcache is well-documented and widely used. Document chain of custody, hash before and after parsing, and use a parser whose behaviour you can defend on cross-examination.

Further reading#

  • Yogesh Khatri, Amcache.hve in Windows 8. The original public reverse engineering.
  • Eric Zimmerman, AmcacheParser. Gold-standard offline tool.
  • Willi Ballenthin and the Mandiant team for the original legacy-schema field mapping.
  • Maxim Suhanov's registry-internals research, which is what killed the "Amcache = execution" myth.

If you take one thing away: hash first, path second, time third. Amcache is at its best as a hash index that happens to know which files Windows saw, and at its worst when its timestamps are treated as ground truth.

Related posts

Back to all posts