What's the difference between Amcache and AppCompatCache?

AppCompatCache (called Shimcache in every DFIR conversation that has ever happened) and Amcache both track PE binaries on a Windows host. They live in the same Application Compatibility infrastructure. They are otherwise quite different mechanisms, and people confuse them constantly.

The shortest possible version:

Shimcache is shorter, sparser, kernel-maintained, flushed on shutdown. Amcache is longer, richer, user-mode-maintained, written continuously.

Side by side#

Property Shimcache (AppCompatCache) Amcache
Storage SYSTEM hive, single binary value Standalone Amcache.hve
Registry path HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache C:\Windows\AppCompat\Programs\Amcache.hve
Maintainer Kernel loader Compatibility Appraiser (user-mode task)
Max entries 1024 (LRU) Effectively unbounded
Hash No SHA-1 of first 31 MiB
Publisher / version No Yes
ProgramId No Yes
Driver / device data No Yes (separate keys)
Persistence to disk Shutdown only Continuous (transaction logs)
Fresh on live system No (need shutdown or memory) Yes
Pre-Windows 10 1709 Yes (since XP) Partially (legacy schema only)
Default on Server Yes Yes (slower cadence)

For full coverage, see Amcache vs Shimcache.

When Shimcache wins#

  • "Did the loader actually touch this binary?" Shimcache records loader touches; Amcache records appraiser inventory. Different signals.
  • Memory-only acquisitions. Volatility's shimcachemem extracts Shimcache cleanly from RAM.
  • Pre-Windows-10-1709 hosts where modern Amcache schema isn't there.
  • Hardened hosts with the appraiser disabled. Shimcache is kernel-maintained and persists regardless.

When Amcache wins#

  • Hash pivots. Shimcache has nothing.
  • Cross-host hunts. No ProgramId, no hash, no leverage.
  • Driver and device evidence. Shimcache is userspace PE only.
  • Triage on a live system. Amcache is current on disk. Shimcache is stale until reboot.

Use both. Always.#

The two corroborate each other and the gaps are themselves information:

  • In both: the loader touched it and the appraiser inventoried it. Strong "present and used" finding.
  • In Shimcache only: loader touched it but the appraiser hasn't inventoried it yet, OR the file lives outside the appraiser's scan paths, OR the appraiser is off.
  • In Amcache only: present and inventoried but the loader hasn't touched it in the current 1024-entry window, OR Shimcache rotated, OR Shimcache was wiped.

Both absent on a host where you expected the binary is the strongest "this never happened" signal these two artefacts produce. For execution proof, pair with Prefetch.

Related posts

  • Why is my Amcache.hve empty?

    Three causes in order of frequency: appraiser disabled, host freshly imaged, or you're on a Server where the cadence is naturally slow. Tampering is a distant fourth.

  • Where is the Amcache registry key?

    Amcache is its own hive file, not a key under HKLM. Loaded on demand by the appraiser. Mounts at HKLM\Amcache when active.

  • What does Amcache.hve contain?

    Inventory records for every PE, driver, application, and connected device the Compatibility Appraiser has seen. SHA-1, full path, publisher, and timestamps per entry.

  • What's a .pf file vs an Amcache entry?

    .pf is execution proof with run times. Amcache is presence with hash and metadata. Same binary in both, only one, or neither, and which combination it is matters.

Back to all posts