Amcache registry structure: every key explained
Amcache.hve is a Windows registry hive with one root key (Root) and a tree of sub-keys beneath it. Each sub-key holds a different inventory category: PE files, installed applications, drivers, devices, shortcuts. This page walks every notable key, what it records, and which values you actually use in DFIR.
For the high-level context, see the Amcache complete reference. For the CSV-column-level reference produced by AmcacheParser, see AmcacheParser output columns explained.
Top-level layout#
On a modern Windows 11 hive, Root contains roughly:
Root\
├── InventoryApplication
├── InventoryApplicationDriver
├── InventoryApplicationFile
├── InventoryApplicationFramework
├── InventoryApplicationShortcut
├── InventoryDeviceContainer
├── InventoryDeviceInterface
├── InventoryDeviceMediaClass
├── InventoryDevicePnp
├── InventoryDriverBinary
├── InventoryDriverPackage
├── InventoryMiscellaneousUUPInfo
├── File (legacy, may be empty)
└── Programs (legacy, often sparse)
The modern schema is Inventory*. The legacy schema is the flat File and Programs keys, present from Windows 8 onward. Windows 10 (build 1709 and later) and Windows 11 both write the modern schema. Some legacy entries may still appear depending on the build.
Root\InventoryApplicationFile (the headline key)#
This is where you spend most of your time. One sub-key per file the appraiser inventoried, named after the file's LongPathHash (an internal Amcache identifier) suffixed with a short discriminator. Each sub-key holds values for that file.
Notable values#
| Value name | Type | Meaning |
|---|---|---|
Name |
REG_SZ |
File name only (e.g. mimikatz.exe). |
LowerCaseLongPath |
REG_SZ |
Full path, lowercased. |
LongPathHash |
REG_SZ |
Amcache's internal path-dedup hash. |
FileId |
REG_SZ |
"0000" + sha1_hex. See Amcache FileId explained. |
Size |
REG_QWORD |
File size in bytes. |
IsPeFile |
REG_DWORD |
1 if the file is a PE. |
IsOsComponent |
REG_DWORD |
1 if part of Windows. |
Publisher |
REG_SZ |
Publisher string from the PE signature / resource. |
Version |
REG_SZ |
VS_FIXEDFILEINFO.dwFileVersion. |
BinFileVersion |
REG_SZ |
Binary file version. |
BinProductVersion |
REG_SZ |
Binary product version. |
ProductName |
REG_SZ |
PE resource ProductName. |
ProductVersion |
REG_SZ |
PE resource ProductVersion. |
LinkDate |
REG_SZ |
PE IMAGE_FILE_HEADER.TimeDateStamp (compile/link time). |
Language |
REG_DWORD |
PE resource language ID. |
Usn |
REG_QWORD |
USN journal entry tied to this inventory. |
ProgramId |
REG_SZ |
44-char application-identity hash, joins to InventoryApplication. See Amcache ProgramId explained. |
The key's own LastWriteTimestamp (not a value, but the registry-level metadata) is what AmcacheParser exposes as KeyLastWriteTimestamp. The single most useful timestamp for "when did Amcache record this entry?". Full coverage: Amcache timestamps explained.
Associated vs unassociated#
When AmcacheParser reads this key it splits entries into two CSVs:
*_AssociatedFileEntries.csv:ProgramIdmatches an entry inInventoryApplication. The file is associated with an installed product.*_UnassociatedFileEntries.csv:ProgramIddoes not match any installed-application record. Typically ad-hoc binaries, downloaded tools, scripts, and attacker tooling.
Unassociated is where most malicious binaries surface on a compromised host.
Root\InventoryApplication (installed applications)#
One sub-key per installed application, keyed by ProgramId.
| Value name | Meaning |
|---|---|
ProgramId |
The 44-char identity, also the sub-key name. |
Name |
Display name. |
Version |
Application version. |
Publisher |
Publisher string. |
RootDirPath |
Install directory. |
Source |
How the appraiser learned about the app: MSI, AddRemoveProgram, Win32WindowsUpdate, Inbox, ... |
Type |
Application type (Application, Driver, ...). |
Language |
LCID. |
MsiPackageCode |
MSI GUID, if from an MSI. |
MsiProductCode |
MSI product code, if from an MSI. |
InstallDate |
Application install date (FILETIME). |
Pivot: take a ProgramId from a suspicious file in InventoryApplicationFile, find the corresponding application record here, and you have the full installed-product context (publisher, version, install date) for that file.
Root\InventoryDriverBinary (kernel-mode driver binaries)#
One sub-key per driver binary the system loaded.
| Value name | Meaning |
|---|---|
DriverName |
Driver file name. |
Inf |
The .inf that installed it. |
DriverVersion |
Driver version string. |
Product |
PE resource ProductName. |
ProductVersion |
PE resource ProductVersion. |
WdfVersion |
Windows Driver Framework version. |
DriverCompany |
Company string from the PE. |
DriverPackageStrongName |
Strong name. |
Service |
Associated service name. |
DriverSigned |
Whether the driver claimed a valid signature. |
DriverIsKernelMode |
1 for kernel-mode drivers. |
DriverTimeStamp |
Driver's PE link date. |
ImageSize |
Image size in bytes. |
Hash |
SHA-1 of the driver. |
For BYOVD investigations, sort by DriverTimeStamp ascending and look for old-but-signed drivers that appeared recently on the host. A driver compiled in 2014 that first shows up in your hive today is suspicious by construction. See the BYOVD glossary.
Root\InventoryDeviceContainer (connected devices)#
One sub-key per "device container" Windows tracks (printers, displays, removable-media controllers, Bluetooth devices, networked storage, ...).
| Value name | Meaning |
|---|---|
FriendlyName |
"Brother HL-L2350DW", "Logitech BRIO", ... |
Manufacturer |
Vendor string. |
ModelName / ModelNumber |
Model identifiers. |
Categories |
Device categories. |
DiscoveryMethod |
How Windows enumerated the device. |
IsConnected |
1 if connected at last inventory. |
IsPaired |
1 if paired (Bluetooth etc.). |
Icon |
Path to the device's icon resource. |
Often the cleanest answer to "did this peripheral ever connect to this host?". For USB-mass-storage specifics, see Amcache USB and device history.
Root\InventoryDevicePnp (PnP enumeration records)#
One sub-key per device interface.
| Value name | Meaning |
|---|---|
BusReportedDescription |
What the device told Windows it was. |
DeviceClass |
Driver class GUID. |
DeviceId / InstanceId |
PnP instance identifier. |
Manufacturer |
Vendor string. |
Model |
Model string. |
Service |
Driver service. |
DriverName |
Driver file backing the device. |
DevicePnp is the technical view. DeviceContainer is the user-facing view. Join the two on InstanceId for the full picture.
Root\InventoryApplicationShortcut (Start menu / pinned shortcuts)#
One sub-key per shortcut Windows tracks. Each entry has the shortcut's target path and a ProgramId linking to the parent application. Pair with the LNK parser and jump list parser for the full picture of what the user had pinned and launched.
Root\InventoryApplicationDriver and InventoryApplicationFramework#
Smaller catalogues tied to the modern InventoryApplication view. Driver lists user-mode drivers associated with installed applications. Framework lists framework dependencies. Both come up infrequently in DFIR. More useful for application-inventory audits than incident response.
Root\InventoryMiscellaneousUUPInfo#
Records information about Unified Update Platform packages. Rarely relevant to security investigations unless you are tracing how a specific Windows update was delivered.
Root\Programs (legacy)#
Older catalogue of installed applications, predating InventoryApplication. Sparser metadata, but on some older builds this is the only application list populated. AmcacheParser exposes it as *_ProgramEntries.csv.
| Value name | Meaning |
|---|---|
Name |
Program display name. |
Version |
Program version. |
Publisher |
Publisher string. |
InstallDate |
Install date (FILETIME). |
LanguageCode |
LCID. |
InstallSource |
Source path (CD, network share, downloads folder, URL). |
UninstallString |
Uninstall command line. |
RootDirPath |
Install directory. |
Source |
MSI, AddRemoveProgram, etc. |
Type |
Application, Driver, etc. |
ProgramInstanceId |
Per-install identifier. |
InstallSource is the value to watch. It sometimes records the download URL or network share an installer came from. Invaluable when investigating supply-chain or social-engineering intrusions.
Root\File (legacy)#
Older per-file catalogue. On modern hives this key is often empty or contains a small subset of what InventoryApplicationFile records. Worth checking, but rarely the primary source on a Windows 10+ host.
How values are encoded#
A few encoding quirks worth knowing.
- Timestamps are mostly Windows
FILETIME64-bit (100 ns ticks since 1601-01-01 UTC). AmcacheParser converts to ISO-8601 UTC. - PE link dates are 32-bit
time_t(seconds since 1970-01-01 UTC). Also converted. - Hashes are 41-character strings with a
"0000"type prefix. - Booleans are
REG_DWORD0or1. - Path strings are stored lowercased in
LowerCaseLongPath. Original case is not preserved.
Further reading#
- Willi Ballenthin's original schema work at Mandiant.
- Yogesh Khatri's Amcache.hve in Windows 8 for the legacy schema's value-number mapping.
- Maxim Suhanov's writeups for the modern schema's idiosyncrasies.
Related#
Related posts
- Amcache: the complete Windows .hve forensics reference
Amcache is the hive the Compatibility Appraiser writes every PE on disk into, with SHA-1, full path, publisher, link date, and a key write time. The reference, from format to investigative use.
- Where is the Amcache registry key?
Amcache is its own hive file, not a key under HKLM. Loaded on demand by the appraiser. Mounts at HKLM\Amcache when active.
- Volatility and Amcache: extracting the hive from memory images
When you only have a RAM dump, Volatility extracts the in-memory copy of Amcache.hve. Hand off to AmcacheParser. The cases where this is the only option.
- RegRipper amcache plugin: what it does and when to use it
RegRipper's amcache plugin produces a plain-text Amcache report. Useful when you're already running RegRipper across other hives or need narrative output. Use AmcacheParser when you need CSV.