Amcache registry structure: every key explained

Amcache.hve is a Windows registry hive with one root key (Root) and a tree of sub-keys beneath it. Each sub-key holds a different inventory category: PE files, installed applications, drivers, devices, shortcuts. This page walks every notable key, what it records, and which values you actually use in DFIR.

For the high-level context, see the Amcache complete reference. For the CSV-column-level reference produced by AmcacheParser, see AmcacheParser output columns explained.

Top-level layout#

On a modern Windows 11 hive, Root contains roughly:

Root\
├── InventoryApplication
├── InventoryApplicationDriver
├── InventoryApplicationFile
├── InventoryApplicationFramework
├── InventoryApplicationShortcut
├── InventoryDeviceContainer
├── InventoryDeviceInterface
├── InventoryDeviceMediaClass
├── InventoryDevicePnp
├── InventoryDriverBinary
├── InventoryDriverPackage
├── InventoryMiscellaneousUUPInfo
├── File         (legacy, may be empty)
└── Programs       (legacy, often sparse)

The modern schema is Inventory*. The legacy schema is the flat File and Programs keys, present from Windows 8 onward. Windows 10 (build 1709 and later) and Windows 11 both write the modern schema. Some legacy entries may still appear depending on the build.

Root\InventoryApplicationFile (the headline key)#

This is where you spend most of your time. One sub-key per file the appraiser inventoried, named after the file's LongPathHash (an internal Amcache identifier) suffixed with a short discriminator. Each sub-key holds values for that file.

Notable values#

Value name Type Meaning
Name REG_SZ File name only (e.g. mimikatz.exe).
LowerCaseLongPath REG_SZ Full path, lowercased.
LongPathHash REG_SZ Amcache's internal path-dedup hash.
FileId REG_SZ "0000" + sha1_hex. See Amcache FileId explained.
Size REG_QWORD File size in bytes.
IsPeFile REG_DWORD 1 if the file is a PE.
IsOsComponent REG_DWORD 1 if part of Windows.
Publisher REG_SZ Publisher string from the PE signature / resource.
Version REG_SZ VS_FIXEDFILEINFO.dwFileVersion.
BinFileVersion REG_SZ Binary file version.
BinProductVersion REG_SZ Binary product version.
ProductName REG_SZ PE resource ProductName.
ProductVersion REG_SZ PE resource ProductVersion.
LinkDate REG_SZ PE IMAGE_FILE_HEADER.TimeDateStamp (compile/link time).
Language REG_DWORD PE resource language ID.
Usn REG_QWORD USN journal entry tied to this inventory.
ProgramId REG_SZ 44-char application-identity hash, joins to InventoryApplication. See Amcache ProgramId explained.

The key's own LastWriteTimestamp (not a value, but the registry-level metadata) is what AmcacheParser exposes as KeyLastWriteTimestamp. The single most useful timestamp for "when did Amcache record this entry?". Full coverage: Amcache timestamps explained.

Associated vs unassociated#

When AmcacheParser reads this key it splits entries into two CSVs:

  • *_AssociatedFileEntries.csv: ProgramId matches an entry in InventoryApplication. The file is associated with an installed product.
  • *_UnassociatedFileEntries.csv: ProgramId does not match any installed-application record. Typically ad-hoc binaries, downloaded tools, scripts, and attacker tooling.

Unassociated is where most malicious binaries surface on a compromised host.

Root\InventoryApplication (installed applications)#

One sub-key per installed application, keyed by ProgramId.

Value name Meaning
ProgramId The 44-char identity, also the sub-key name.
Name Display name.
Version Application version.
Publisher Publisher string.
RootDirPath Install directory.
Source How the appraiser learned about the app: MSI, AddRemoveProgram, Win32WindowsUpdate, Inbox, ...
Type Application type (Application, Driver, ...).
Language LCID.
MsiPackageCode MSI GUID, if from an MSI.
MsiProductCode MSI product code, if from an MSI.
InstallDate Application install date (FILETIME).

Pivot: take a ProgramId from a suspicious file in InventoryApplicationFile, find the corresponding application record here, and you have the full installed-product context (publisher, version, install date) for that file.

Root\InventoryDriverBinary (kernel-mode driver binaries)#

One sub-key per driver binary the system loaded.

Value name Meaning
DriverName Driver file name.
Inf The .inf that installed it.
DriverVersion Driver version string.
Product PE resource ProductName.
ProductVersion PE resource ProductVersion.
WdfVersion Windows Driver Framework version.
DriverCompany Company string from the PE.
DriverPackageStrongName Strong name.
Service Associated service name.
DriverSigned Whether the driver claimed a valid signature.
DriverIsKernelMode 1 for kernel-mode drivers.
DriverTimeStamp Driver's PE link date.
ImageSize Image size in bytes.
Hash SHA-1 of the driver.

For BYOVD investigations, sort by DriverTimeStamp ascending and look for old-but-signed drivers that appeared recently on the host. A driver compiled in 2014 that first shows up in your hive today is suspicious by construction. See the BYOVD glossary.

Root\InventoryDeviceContainer (connected devices)#

One sub-key per "device container" Windows tracks (printers, displays, removable-media controllers, Bluetooth devices, networked storage, ...).

Value name Meaning
FriendlyName "Brother HL-L2350DW", "Logitech BRIO", ...
Manufacturer Vendor string.
ModelName / ModelNumber Model identifiers.
Categories Device categories.
DiscoveryMethod How Windows enumerated the device.
IsConnected 1 if connected at last inventory.
IsPaired 1 if paired (Bluetooth etc.).
Icon Path to the device's icon resource.

Often the cleanest answer to "did this peripheral ever connect to this host?". For USB-mass-storage specifics, see Amcache USB and device history.

Root\InventoryDevicePnp (PnP enumeration records)#

One sub-key per device interface.

Value name Meaning
BusReportedDescription What the device told Windows it was.
DeviceClass Driver class GUID.
DeviceId / InstanceId PnP instance identifier.
Manufacturer Vendor string.
Model Model string.
Service Driver service.
DriverName Driver file backing the device.

DevicePnp is the technical view. DeviceContainer is the user-facing view. Join the two on InstanceId for the full picture.

Root\InventoryApplicationShortcut (Start menu / pinned shortcuts)#

One sub-key per shortcut Windows tracks. Each entry has the shortcut's target path and a ProgramId linking to the parent application. Pair with the LNK parser and jump list parser for the full picture of what the user had pinned and launched.

Root\InventoryApplicationDriver and InventoryApplicationFramework#

Smaller catalogues tied to the modern InventoryApplication view. Driver lists user-mode drivers associated with installed applications. Framework lists framework dependencies. Both come up infrequently in DFIR. More useful for application-inventory audits than incident response.

Root\InventoryMiscellaneousUUPInfo#

Records information about Unified Update Platform packages. Rarely relevant to security investigations unless you are tracing how a specific Windows update was delivered.

Root\Programs (legacy)#

Older catalogue of installed applications, predating InventoryApplication. Sparser metadata, but on some older builds this is the only application list populated. AmcacheParser exposes it as *_ProgramEntries.csv.

Value name Meaning
Name Program display name.
Version Program version.
Publisher Publisher string.
InstallDate Install date (FILETIME).
LanguageCode LCID.
InstallSource Source path (CD, network share, downloads folder, URL).
UninstallString Uninstall command line.
RootDirPath Install directory.
Source MSI, AddRemoveProgram, etc.
Type Application, Driver, etc.
ProgramInstanceId Per-install identifier.

InstallSource is the value to watch. It sometimes records the download URL or network share an installer came from. Invaluable when investigating supply-chain or social-engineering intrusions.

Root\File (legacy)#

Older per-file catalogue. On modern hives this key is often empty or contains a small subset of what InventoryApplicationFile records. Worth checking, but rarely the primary source on a Windows 10+ host.

How values are encoded#

A few encoding quirks worth knowing.

  • Timestamps are mostly Windows FILETIME 64-bit (100 ns ticks since 1601-01-01 UTC). AmcacheParser converts to ISO-8601 UTC.
  • PE link dates are 32-bit time_t (seconds since 1970-01-01 UTC). Also converted.
  • Hashes are 41-character strings with a "0000" type prefix.
  • Booleans are REG_DWORD 0 or 1.
  • Path strings are stored lowercased in LowerCaseLongPath. Original case is not preserved.

Further reading#

  • Willi Ballenthin's original schema work at Mandiant.
  • Yogesh Khatri's Amcache.hve in Windows 8 for the legacy schema's value-number mapping.
  • Maxim Suhanov's writeups for the modern schema's idiosyncrasies.

Related posts

Back to all posts