What's the difference between Amcache and AppCompatCache?

AppCompatCache (commonly called ShimCache) and Amcache are different Windows artefacts that both record PE binaries on a host. They are constantly confused because both live in the Application Compatibility infrastructure — but they are different mechanisms with different limits and very different forensic value.

The headline differences:

ShimCache is shorter, sparser, kernel-maintained, and updated by the loader. Amcache is longer, richer, user-mode-maintained, and updated by a scheduled task.

Side-by-side#

Property AppCompatCache (ShimCache) Amcache
Storage SYSTEM hive, single binary value Standalone Amcache.hve
Registry path HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache C:\Windows\AppCompat\Programs\Amcache.hve
Maintainer Kernel loader User-mode scheduled task (appraiser)
Max entries 1024 (LRU eviction) Effectively unbounded
Records hash? No Yes (SHA-1 of first 31 MiB)
Records publisher / version? No Yes
Records ProgramId? No Yes
Records driver / device data? No Yes (separate keys)
Persistence to disk On shutdown Continuous (with transaction logs)
Available freshly on live system? No (need shutdown or memory) Yes
Available pre-Windows 10 1709? Yes (since Windows XP) Partially (legacy schema only)
Default-on Server? Yes Yes (but slower cadence)

For full coverage, see Amcache vs ShimCache.

When ShimCache wins#

  • "Did the loader touch this binary?" ShimCache records loader touches; Amcache records appraiser-inventoried presence. They are different signals.
  • Memory-only acquisitions. Volatility's shimcachemem plugin extracts ShimCache from RAM cleanly.
  • Pre-Windows-10 hosts. ShimCache has been there since Windows XP.
  • Hardened hosts with the appraiser disabled. ShimCache is maintained by the kernel; it persists even when the appraiser is off.

When Amcache wins#

  • Hash pivots. ShimCache has no hash; Amcache has SHA-1.
  • Cross-host hunts. ShimCache has no ProgramId and no hash — cross-host pivots impossible. Amcache has both.
  • Driver / device evidence. ShimCache covers user-mode PE only. Amcache has dedicated driver and device schemas.
  • Triage on a live system. Amcache is up-to-date on disk; ShimCache is stale until reboot.

When you should use both#

Always. The two artefacts corroborate each other:

  • A binary in both → loader touched it AND the appraiser recorded it. Strong "this was present and used" finding.
  • A binary in ShimCache only → loader touched it but the appraiser hasn't inventoried it yet, OR the file lived in a path the appraiser doesn't scan, OR the appraiser is disabled.
  • A binary in Amcache only → present and inventoried but the loader hasn't touched it (in the current 1024 ShimCache window), OR ShimCache was wiped or rotated.

Both absent on a host where you'd expect a binary = strongest "this never happened" signal you'll get from these two artefacts. For execution proof, pair with Prefetch.

Tagsqaforensicswindowsamcacheshimcacheappcompatcache

Related posts

  • Amcache vs ShimCache: when each artefact wins

    ShimCache and Amcache both record binaries that touched a Windows host. They are different mechanisms with different limits — here is when to use each, and what their overlap actually proves.

  • Why is my Amcache.hve empty?

    Three common causes: the Compatibility Appraiser is disabled, the host is freshly imaged, or you're collecting from a Server / Server Core where the appraiser runs much less often.

  • Where is the Amcache registry key?

    Amcache is its own hive file at C:\Windows\AppCompat\Programs\Amcache.hve — not a key under HKLM. When loaded by tools or by Windows itself it mounts as HKLM\Amcache.

  • What does Amcache.hve contain?

    Amcache.hve contains inventory records for every PE binary, driver, and connected device the Windows Compatibility Appraiser has seen — with SHA-1 hashes, paths, publishers, and timestamps.

Back to all posts