Amcache registry structure: every key explained
Amcache.hve is a Windows registry hive with one root key (Root)
and a tree of sub-keys beneath it. Each sub-key holds a different
inventory category: PE files, installed applications, drivers,
devices, shortcuts. This page walks every notable key, what it
records, and which values you actually use in DFIR.
For the high-level context, see the Amcache complete reference. For the CSV-column-level reference produced by AmcacheParser, see AmcacheParser output columns explained.
Top-level layout#
On a modern Windows 11 hive, Root contains roughly:
Root\
├── InventoryApplication
├── InventoryApplicationDriver
├── InventoryApplicationFile
├── InventoryApplicationFramework
├── InventoryApplicationShortcut
├── InventoryDeviceContainer
├── InventoryDeviceInterface
├── InventoryDeviceMediaClass
├── InventoryDevicePnp
├── InventoryDriverBinary
├── InventoryDriverPackage
├── InventoryMiscellaneousUUPInfo
├── File (legacy, may be empty)
└── Programs (legacy, often sparse)
The modern schema is Inventory*. The legacy schema is the
flat File and Programs keys, present from Windows 8 onward.
Windows 10 (build 1709 and later) and Windows 11 both write the
modern schema; some legacy entries may still appear depending on
the build.
Root\InventoryApplicationFile — the headline key#
This is the key you spend most of your time in. One sub-key per
file the appraiser inventoried, named after the file's
LongPathHash (an internal Amcache identifier) suffixed with a
short discriminator. Each sub-key holds values for that file.
Notable values#
| Value name | Type | Meaning |
|---|---|---|
Name |
REG_SZ |
File name only (e.g. mimikatz.exe). |
LowerCaseLongPath |
REG_SZ |
Full path, lowercased. |
LongPathHash |
REG_SZ |
Amcache's internal path-dedup hash. |
FileId |
REG_SZ |
"0000" + sha1_hex — the file's content hash. See Amcache FileId explained. |
Size |
REG_QWORD |
File size in bytes. |
IsPeFile |
REG_DWORD |
1 if the file is a PE. |
IsOsComponent |
REG_DWORD |
1 if the file is part of Windows. |
Publisher |
REG_SZ |
Publisher string from the PE signature / resource. |
Version |
REG_SZ |
VS_FIXEDFILEINFO.dwFileVersion. |
BinFileVersion |
REG_SZ |
Binary file version. |
BinProductVersion |
REG_SZ |
Binary product version. |
ProductName |
REG_SZ |
PE resource ProductName. |
ProductVersion |
REG_SZ |
PE resource ProductVersion. |
LinkDate |
REG_SZ |
PE IMAGE_FILE_HEADER.TimeDateStamp (compile/link time). |
Language |
REG_DWORD |
PE resource language ID. |
Usn |
REG_QWORD |
USN journal entry tied to this inventory. |
ProgramId |
REG_SZ |
44-char application-identity hash — joins to InventoryApplication. See Amcache ProgramId explained. |
The key's own LastWriteTimestamp (not a value, but the registry-level
metadata) is what AmcacheParser exposes as KeyLastWriteTimestamp.
It is the single most useful timestamp for "when did Amcache record
this entry?". Full coverage:
Amcache timestamps explained.
Associated vs unassociated#
When AmcacheParser reads this key it splits the entries into two CSVs:
*_AssociatedFileEntries.csv— entries whoseProgramIdmatches an entry inInventoryApplication. The file is associated with an installed product.*_UnassociatedFileEntries.csv— entries whoseProgramIddoes not match any installed-application record. These are typically ad-hoc binaries, downloaded tools, scripts, and — relevant to DFIR — attacker tooling.
The Unassociated file is where most malicious binaries surface on a compromised host.
Root\InventoryApplication — installed applications#
One sub-key per installed application, keyed by ProgramId. Notable
values:
| Value name | Meaning |
|---|---|
ProgramId |
The 44-char identity, also used as the sub-key name. |
Name |
Application display name. |
Version |
Application version. |
Publisher |
Publisher string. |
RootDirPath |
Install directory. |
Source |
How the appraiser learned about the app: MSI, AddRemoveProgram, Win32WindowsUpdate, Inbox, ... |
Type |
Application type (Application, Driver, ...). |
Language |
LCID. |
MsiPackageCode |
MSI GUID, if from an MSI. |
MsiProductCode |
MSI product code, if from an MSI. |
InstallDate |
Application install date (FILETIME). |
Pivot pattern: take a ProgramId from a suspicious file in
InventoryApplicationFile, find the corresponding application here,
and you have the full installed-product context (publisher, version,
install date) for that file.
Root\InventoryDriverBinary — kernel-mode driver binaries#
One sub-key per driver binary the system loaded. Notable values:
| Value name | Meaning |
|---|---|
DriverName |
Driver file name. |
Inf |
The .inf that installed it. |
DriverVersion |
Driver version string. |
Product |
PE resource ProductName. |
ProductVersion |
PE resource ProductVersion. |
WdfVersion |
Windows Driver Framework version. |
DriverCompany |
Company string from the PE. |
DriverPackageStrongName |
Strong name. |
Service |
Associated service name. |
DriverSigned |
Whether the driver claimed a valid signature. |
DriverIsKernelMode |
1 for kernel-mode drivers. |
DriverTimeStamp |
Driver's PE link date. |
ImageSize |
Image size in bytes. |
Hash |
SHA-1 of the driver. |
For BYOVD (bring-your-own-vulnerable-driver) investigations,
sort by DriverTimeStamp ascending and look for old-but-signed
drivers that appeared recently on the host. A driver compiled in
2014 that first shows up in your Amcache today is suspicious by
construction.
Root\InventoryDeviceContainer — connected devices#
One sub-key per "device container" Windows tracks (printers, displays, removable-media controllers, Bluetooth devices, networked storage, ...). Notable values:
| Value name | Meaning |
|---|---|
FriendlyName |
"Brother HL-L2350DW", "Logitech BRIO", ... |
Manufacturer |
Vendor string. |
ModelName / ModelNumber |
Model identifiers. |
Categories |
Device categories. |
DiscoveryMethod |
How Windows enumerated the device. |
IsConnected |
1 if connected at last inventory. |
IsPaired |
1 if paired (Bluetooth, etc.). |
Icon |
Path to the device's icon resource. |
This is often the cleanest answer to "did this peripheral ever connect to this host?". For USB-mass-storage history specifically, see Amcache USB and device history.
Root\InventoryDevicePnp — PnP enumeration records#
One sub-key per device interface. Notable values:
| Value name | Meaning |
|---|---|
BusReportedDescription |
What the device told Windows it was. |
DeviceClass |
Driver class GUID. |
DeviceId / InstanceId |
PnP instance identifier. |
Manufacturer |
Vendor string. |
Model |
Model string. |
Service |
Driver service. |
DriverName |
Driver file backing the device. |
DevicePnp is the technical view; DeviceContainer is the
user-facing view. Join the two on InstanceId for the full picture.
Root\InventoryApplicationShortcut — Start menu / pinned shortcuts#
One sub-key per shortcut Windows tracks. Each entry includes the
shortcut's target path and a ProgramId linking to the parent
application. Less used in incident response, but useful for "what
did the user have pinned on $DATE" questions.
Root\InventoryApplicationDriver and InventoryApplicationFramework#
These are smaller catalogues tied to the modern InventoryApplication
view. Driver lists user-mode drivers associated with installed
applications; Framework lists framework dependencies. Both come up
infrequently in DFIR; they are more useful for application-inventory
audits than incident response.
Root\InventoryMiscellaneousUUPInfo#
Records information about Unified Update Platform packages. Rarely relevant to security investigations unless you are tracing how a specific Windows update was delivered.
Root\Programs (legacy)#
The older catalogue of installed applications, predating
InventoryApplication. Sparser metadata, but on some older builds
this is the only application list populated. AmcacheParser
exposes it as *_ProgramEntries.csv. Notable values:
| Value name | Meaning |
|---|---|
Name |
Program display name. |
Version |
Program version. |
Publisher |
Publisher string. |
InstallDate |
Install date (FILETIME). |
LanguageCode |
LCID. |
InstallSource |
Source path (CD, network share, downloads folder, URL). |
UninstallString |
Uninstall command line. |
RootDirPath |
Install directory. |
Source |
MSI, AddRemoveProgram, etc. |
Type |
Application, Driver, etc. |
ProgramInstanceId |
Per-install identifier. |
InstallSource is the value to keep an eye on. It sometimes
records the download URL or network share an installer came from,
which is invaluable when investigating supply-chain or
social-engineering intrusions.
Root\File (legacy)#
The older per-file catalogue. On modern hives this key is often
empty or contains a small subset of what InventoryApplicationFile
records. Worth checking, but rarely the primary source on a Windows
10+ host.
How values are encoded#
A few encoding quirks worth knowing:
- Timestamps are mostly stored as Windows
FILETIME64-bit values (100 ns ticks since 1601-01-01 UTC). AmcacheParser converts them to ISO-8601 UTC. - PE link dates are stored as 32-bit
time_tvalues (seconds since 1970-01-01 UTC). AmcacheParser converts them too. - Hashes are stored as 41-character strings with a
"0000"type prefix. - Booleans are
REG_DWORD0or1. - Path strings are stored lowercased in
LowerCaseLongPath. The original case is not preserved.
See also#
- Amcache complete reference — the high-level overview.
- Amcache FileId explained — the
"0000" + sha1identifier in detail. - Amcache ProgramId explained — the 44-char application identity.
- Amcache timestamps explained
—
KeyLastWriteTimestampvsLinkDateand friends. - AmcacheParser output columns explained — every CSV field, mapped back to these registry values.
To explore the structure on a hive you control, drop a file on the parser home page — every key and value is browsable in the UI.
Related posts
- Amcache: the complete Windows .hve forensics reference
Amcache is the Windows registry hive that records every PE binary the appraiser has inventoried, with SHA-1, path, publisher, and inventory time. Full reference.
- Where is the Amcache registry key?
Amcache is its own hive file at C:\Windows\AppCompat\Programs\Amcache.hve — not a key under HKLM. When loaded by tools or by Windows itself it mounts as HKLM\Amcache.
- Volatility and Amcache: extracting the hive from memory images
A practical guide to recovering Amcache from a Windows memory image using Volatility — when memory-side recovery is the only option, which plugins to use, and how to hand off to AmcacheParser.
- RegRipper amcache plugin: what it does and when to use it
A practical guide to RegRipper's amcache plugin — what it parses, how its text output differs from AmcacheParser's CSV, and when to reach for it instead of (or alongside) the Zimmerman tool.