Amcache parser comparison: AmcacheParser, browser tool, Volatility, RegRipper
TL;DR — the four-tool decision rule. One-off triage with no install: browser tool. Batch / KAPE / Velociraptor pipeline: Eric Zimmerman's AmcacheParser CLI. Memory-forensics workflow with other registry plugins: Volatility 3. Already standardized on a registry-plugin framework: RegRipper's amcache.pl.
Four mature tools parse Amcache.hve in 2026. They produce
overlapping output from the same hive — the question is which one fits
your workflow, not which one is "correct".
This page compares them on the dimensions analysts actually care about: install footprint, supported platforms, output format, batch-ability, and where each tool wins.
For the artefact itself (what Amcache is, what it records, the field semantics), see the Amcache complete reference. For a deep dive on each individual tool, see the linked guides below.
At-a-glance comparison#
| Tool | Install | Platform | Output | Batch / scripting | GUI | Best for |
|---|---|---|---|---|---|---|
| Eric Zimmerman's AmcacheParser | .NET runtime | Windows native, Linux/macOS via dotnet |
CSV per Inventory* category | First-class | ❌ (CLI only) | KAPE / Velociraptor pipelines, batch hosts |
| amcacheparser.com (browser) | None | Any modern browser (WebAssembly) | Interactive table, CSV, JSON | One hive at a time | ✅ | One-off triage, no-install environments, training |
Volatility 3 (windows.registry.amcache) |
Volatility 3 + Python 3 | Cross-platform | Text / JSON via volshell | Scriptable | ❌ | Memory-forensics workflows, combined with other registry plugins |
RegRipper (amcache.pl) |
Perl + RegRipper | Cross-platform | Plaintext report | Scriptable | ❌ | Shops already standardized on RegRipper |
Eric Zimmerman's AmcacheParser (CLI)#
The de facto standard. A .NET console application that reads
Amcache.hve and writes seven CSVs — one per Inventory* category
(AssociatedFileEntries, UnassociatedFileEntries, ProgramEntries,
ShortcutEntries, DriverBinaries, DevicePnps, DeviceContainers) plus
the legacy Programs / File schemas where present.
Why it dominates the field
- KAPE and Velociraptor invoke it directly. If your collection pipeline runs either tool, AmcacheParser is already in the loop.
- Field semantics are the documented reference. Every other parser's output is benchmarked against AmcacheParser's CSV columns.
- Scriptable. One executable, one input, deterministic CSV output → trivially driven from PowerShell, bash, or a SIEM ingestion job.
Where it bites
- Requires .NET runtime. Native on Windows; on Linux/macOS you
need
dotnetinstalled. Not a problem in a forensic VM, occasionally inconvenient on a triage workstation. - CLI only. No interactive filtering, no risk hints, no visualization. You ingest the CSVs into whatever you already use (Timeline Explorer, Excel, Splunk).
Full coverage: AmcacheParser complete guide · CLI cheatsheet · Output columns explained · Download guide.
amcacheparser.com (browser, WebAssembly)#
This site's tool. The hive parser is written in Rust, compiled to WebAssembly, and runs entirely in the browser tab. The file you drop on the page is read into memory by JavaScript and handed to the WebAssembly module — no upload happens.
Why analysts reach for it
- Zero install. Any modern browser works — Chrome, Firefox, Safari, Edge — on any OS, including air-gapped environments after one-time mirror of the static site.
- Visual triage. Categories on tabs, per-row risk hints (unsigned PE, AppData/Temp paths, unsigned drivers), inline search, unassociated-only filter, and per-category CSV export.
- Privacy by construction. Because nothing leaves the device, the tool is safe to use on hives subject to data-handling policies that forbid uploading.
Where it bites
- One hive per session. Batch processing 200 hosts? Use the CLI.
- No KAPE / Velociraptor integration. The browser tool is for the human triage step, not the collection-pipeline step.
Volatility 3 (windows.registry.amcache)#
A registry-analysis plugin inside Volatility 3. Runs against either a memory capture (where the hive is reconstructed from in-memory registry pages) or an offline registry hive on disk.
Why reach for it
- Lives next to other registry plugins. If you're already running
Volatility for a memory investigation, adding Amcache analysis is
one more
vol.py -f memory.raw windows.registry.amcacheaway. - Cross-platform. Pure Python, no .NET dependency.
Where it bites
- Less detail than AmcacheParser. The plugin surfaces the core fields but doesn't replicate AmcacheParser's full per-category schema breakout.
- Requires Volatility setup. Not a first-pass tool for someone who just needs to look at one hive.
See Volatility plugins for Amcache analysis for the full plugin reference.
RegRipper (amcache.pl)#
RegRipper is a Perl-based registry analysis framework with a per-hive
plugin system. The amcache.pl plugin reads the hive and produces
a plaintext report.
Why reach for it
- Plugin ecosystem. If your team already runs RegRipper for SYSTEM/SOFTWARE/NTUSER analysis, adding the Amcache plugin keeps everything in one workflow.
- Well-known in DFIR. RegRipper has been around since 2006 — the output format is familiar to a generation of analysts.
Where it bites
- Plaintext output. Not as machine-friendly as CSV for SIEM ingestion.
- Less actively developed than AmcacheParser. Field coverage can lag the latest Windows schema changes.
See RegRipper Amcache plugin reference for the plugin details.
Decision rules#
The honest answer to "which parser should I use?" is all of them, in different contexts:
- Single-host investigation, ad-hoc question, no install possible → browser parser.
- Multi-host engagement, KAPE / Velociraptor collection → Eric Zimmerman's AmcacheParser CLI feeding into Timeline Explorer or your SIEM.
- Memory forensics workflow, hive reconstructed from RAM →
Volatility 3's
windows.registry.amcacheplugin. - Already standardized on RegRipper for the other registry hives →
RegRipper's
amcache.pl.
For most DFIR shops the practical setup is EZ AmcacheParser in the collection pipeline + the browser parser for the human triage step — the CLI handles batch and provenance, the browser handles the "what does this entry actually mean?" moment.
See also#
- Amcache complete reference — the artefact itself, every field decoded.
- Amcache vs ShimCache, Amcache vs Prefetch, Amcache vs SRUM — when Amcache is and isn't the right artefact.
- AmcacheParser CLI cheatsheet — every flag with worked examples.
Related posts
- AmcacheParser output columns explained: every CSV field decoded
A field-by-field reference for AmcacheParser's CSV output — FileId, PathHash, ProgramId, LinkDate, BinFileVersion, IsPeFile, and every other column, with the pivots that matter in DFIR.
- AmcacheParser download guide: official sources, mirrors, and verification
Every way to download Eric Zimmerman's AmcacheParser — Get-ZimmermanTools, direct download, KAPE, Velociraptor — with checksum verification and air-gapped install patterns.
- AmcacheParser: the complete guide to Eric Zimmerman's tool
A definitive guide to AmcacheParser — what it does, how to install and run Eric Zimmerman's CLI, how to read its CSV output, and when to reach for the browser-based alternative.
- AmcacheParser CLI cheatsheet: every flag, with worked examples
A practical command-line reference for Eric Zimmerman's AmcacheParser — every flag explained, with KAPE, Velociraptor, and PowerShell batch-processing patterns you can copy and paste.