Amcache parser comparison: AmcacheParser, browser tool, Volatility, RegRipper

TL;DR. One-off triage, no install: browser tool. Batch, KAPE, Velociraptor: Eric Zimmerman's AmcacheParser. Memory-forensics workflow with other registry plugins: Volatility 3. Shop standardised on a registry-plugin framework: RegRipper's amcache.pl.

Four mature tools parse Amcache.hve in 2026. They produce overlapping output from the same hive. The question is which one fits your workflow, not which one is "correct".

This page compares them on the dimensions that matter: install footprint, supported platforms, output format, batchability, and where each tool wins.

For the artefact itself, see the Amcache complete reference. For deep dives on each tool, see the linked guides below.

At a glance#

Tool Install Platform Output Batch / scripting GUI Best for
AmcacheParser .NET runtime Windows native, Linux/macOS via dotnet CSV per Inventory* category First-class No (CLI only) KAPE / Velociraptor pipelines, batch hosts
amcacheparser.com (browser) None Any modern browser (WebAssembly) Interactive table, CSV, JSON One hive at a time Yes One-off triage, no-install environments, training
Volatility 3 (windows.registry.amcache) Volatility 3 + Python Cross-platform Text / JSON via volshell Scriptable No Memory-forensics workflows
RegRipper (amcache.pl) Perl + RegRipper Cross-platform Plaintext report Scriptable No Shops standardised on RegRipper

Eric Zimmerman's AmcacheParser (CLI)#

The de facto standard. A .NET console application that reads Amcache.hve and writes seven CSVs, one per Inventory* category (AssociatedFileEntries, UnassociatedFileEntries, ProgramEntries, ShortcutEntries, DriverBinaries, DevicePnps, DeviceContainers) plus the legacy Programs / File schemas where present.

Why it dominates

  • KAPE and Velociraptor invoke it directly. If your pipeline runs either, AmcacheParser is already in the loop.
  • Field semantics are the documented reference. Every other parser's output benchmarks against AmcacheParser's CSV columns.
  • Scriptable. One executable, one input, deterministic CSV output. Trivially driven from PowerShell, bash, or a SIEM ingestion job.

Where it bites

  • Requires .NET runtime. Native on Windows, requires dotnet on Linux/macOS. Not an issue in a forensic VM, occasionally inconvenient on a triage workstation.
  • CLI only. No interactive filtering, no risk hints, no visualisation. You ingest the CSVs into whatever you already use (Timeline Explorer, Excel, Splunk).

Full coverage: AmcacheParser complete guide · CLI cheatsheet · Output columns explained · Download guide.

amcacheparser.com (browser, WebAssembly)#

This site's tool. The hive parser is Rust compiled to WebAssembly, running entirely in the browser tab. The file you drop on the page is read into memory by JavaScript and handed to the WASM module. No upload.

Why analysts reach for it

  • Zero install. Any modern browser. Any OS, including air-gapped environments after a one-time mirror of the static site.
  • Visual triage. Categories on tabs, per-row risk hints (unsigned PE, AppData/Temp paths, unsigned drivers), inline search, unassociated-only filter, per-category CSV export.
  • Privacy by construction. Nothing leaves the device. Safe for hives subject to data-handling policies that forbid uploads.

Where it bites

  • One hive per session. Batch processing 200 hosts? Use the CLI.
  • No KAPE / Velociraptor integration. The browser tool is for the human triage step, not the collection-pipeline step.

Volatility 3 (windows.registry.amcache)#

A registry-analysis plugin inside Volatility 3. Runs against either a memory capture (where the hive is reconstructed from in-memory registry pages) or an offline hive on disk.

Why reach for it

  • Lives next to the other registry plugins. If you're already running Volatility for a memory investigation, adding Amcache analysis is one more vol -f memory.raw windows.registry.amcache away.
  • Cross-platform. Pure Python, no .NET.

Where it bites

  • Less detail than AmcacheParser. The plugin surfaces the core fields but doesn't replicate AmcacheParser's full per-category schema breakout.
  • Requires Volatility setup. Not a first-pass tool when you just need to look at one hive.

See Volatility plugins for Amcache analysis for the full plugin reference.

RegRipper (amcache.pl)#

RegRipper is a Perl-based registry analysis framework with a per-hive plugin system. The amcache.pl plugin reads the hive and produces a plaintext report.

Why reach for it

  • Plugin ecosystem. If your team already runs RegRipper for SYSTEM/SOFTWARE/NTUSER analysis, adding the Amcache plugin keeps everything in one workflow.
  • Familiar in DFIR. RegRipper has been around since 2006. The output format is familiar to a generation of analysts.

Where it bites

  • Plaintext output. Not as machine-friendly as CSV for SIEM ingestion.
  • Less actively developed than AmcacheParser. Field coverage can lag the latest Windows schema changes.

See RegRipper Amcache plugin reference.

Decision rules#

The honest answer is all of them, in different contexts:

  • Single-host investigation, ad-hoc question, no install possible: browser parser.
  • Multi-host engagement, KAPE / Velociraptor collection: AmcacheParser CLI feeding Timeline Explorer or your SIEM.
  • Memory forensics workflow, hive reconstructed from RAM: Volatility 3 windows.registry.amcache.
  • Already standardised on RegRipper: RegRipper amcache.pl.

For most DFIR shops the practical setup is EZ AmcacheParser in the collection pipeline plus the browser parser for the human triage step. CLI handles batch and provenance. Browser handles the "what does this entry actually mean?" moment.

Related posts

Back to all posts