Amcache vs Prefetch: what each one really proves
Both Amcache and Prefetch are Windows artefacts that tell you what binaries have been on a host. They are constantly confused, and the confusion produces wrong findings. This page is the practical guide to what each one really proves and when to use which.
The headline difference, up front:
Prefetch proves execution. Amcache proves presence.
For the broader Amcache reference, see the Amcache complete reference. For the file structure, see Amcache registry structure.
What each one records#
Prefetch#
A directory of .pf files (C:\Windows\Prefetch\) maintained by
the Prefetcher subsystem. Each file is created the first time
a binary is executed, and updated on subsequent executions. Each
.pf file contains:
- The executable's name and hash.
- Up to 8 execution timestamps (10 on Windows 11) — actual runs.
- A run count.
- A list of files the executable loaded during its first 10 seconds of execution.
- A list of volumes referenced.
Prefetch exists because Windows uses the files-loaded data to
pre-cache those files before the binary next runs, speeding up
launch time. The forensic value is a side effect: the existence of
a .pf is proof that the binary ran.
Amcache#
A single registry hive (C:\Windows\AppCompat\Programs\Amcache.hve)
populated by the Compatibility Appraiser scheduled task. The
appraiser walks the system periodically (roughly daily on
workstations) and inventories every PE binary it finds, recording:
- Full path, size, SHA-1 hash of the first 31 MiB.
- PE metadata (publisher, version, link date, language).
- Per-application context (
ProgramId, install date). - Per-driver and per-device context for the relevant categories.
Amcache exists to support Windows's compatibility-telemetry infrastructure. The forensic value is, again, a side effect.
The fundamental difference#
| Question | Prefetch | Amcache |
|---|---|---|
| "Did this binary run on this host?" | Yes — definitive. | No. |
| "Was this binary ever on disk?" | Not directly (only if it ran). | Yes. |
| "When did it run?" | Yes — up to 8/10 timestamps per binary. | No. |
| "What's its SHA-1?" | Hash exists but is a Prefetch hash, not SHA-1. | Yes — SHA-1 of first 31 MiB. |
| "What's its full path?" | Recoverable. | Yes — directly. |
| "Does it survive deletion?" | The .pf survives binary deletion. |
The hive entry survives binary deletion. |
| "Does it survive system reboot?" | Yes. | Yes. |
| "Does it survive wiping the artefact directly?" | No — .pf files can be deleted. |
No — hive can be deleted (but transaction logs and VSS often preserve). |
The two artefacts answer different questions. Where they overlap (same file, same host, same time window), they corroborate each other. Where they diverge, the divergence is itself information.
How they overlap and diverge#
Both present (the typical case)#
A binary runs, the Prefetcher creates a .pf, and the appraiser
inventories it on its next pass. You see the binary in both
artefacts. The Prefetch tells you the run times; the Amcache tells
you the path, publisher, hash, and metadata.
Amcache only — "present but never ran"#
You find a binary in *_UnassociatedFileEntries.csv with no
corresponding .pf. Possible reasons:
- The binary was placed on disk but never executed.
- The binary was executed but Prefetch is disabled (rare —
PrefetchParametersregistry key controls this). - The binary was executed once but the
.pfwas deleted (anti- forensics, disk cleanup, intentional removal).
The "present but never ran" reading is the most common, and it is a
very different finding from "executed". A staged but never-run
attacker tool, a dropped DLL that was loaded only by rundll32.exe
(in which case rundll32.exe's .pf updates instead), a payload
waiting for a trigger that never came.
Prefetch only — "ran but no inventory"#
You find a .pf for a binary, but no row in Amcache. Possible
reasons:
- The binary executed between appraiser runs and was deleted before the next pass. The Prefetch survived; Amcache never saw the file.
- The binary lives in a path the appraiser does not scan.
- The appraiser is disabled or has been malfunctioning.
The "ran but no inventory" reading is the stronger signal for deliberate cleanup. The binary lived long enough to execute, then disappeared before the next inventory pass. That timing is characteristic of:
- Cobalt Strike / Sliver / similar C2 stagers that dropper, execute, and self-delete.
- In-memory tooling that wrote a tiny launcher to disk only briefly.
- Wiper deployment where the operator removed the dropper after successful execution.
Both absent — "never seen"#
A binary appears in neither Prefetch nor Amcache. The strongest case for "this never happened on this host" — but not conclusive:
- Both artefacts can be wiped by a sufficiently capable attacker.
- A binary that never executed and was inventoried in a brief window between appraiser runs may be absent from both even in benign circumstances.
- On servers with the appraiser disabled, Amcache may be entirely empty for some periods.
Hashing differences#
A trap that catches new analysts:
- Prefetch hash is a Windows-specific path hash (not a content
hash). It is in the
.pffilename:NOTEPAD.EXE-1A2B3C4D.pf. You cannot submit it to VirusTotal. - Amcache hash is a real SHA-1 of the first 31 MiB. You can submit it to VirusTotal directly. See Amcache FileId explained.
To get a content hash from Prefetch, you need the binary itself —
the .pf file does not contain the binary or a content hash.
How to combine them in a timeline#
The right way to use both:
- Parse both. AmcacheParser for Amcache; PECmd (also Zimmerman) for Prefetch.
- Load both CSVs into Timeline Explorer. Filter Prefetch to
the host's
*_UnassociatedFileEntries.csvtime window of interest. - Triage from Amcache. Apply the "unsigned PE in user-writable path" filter to surface suspicious binaries.
- Confirm execution via Prefetch. For each suspicious row,
check if a
.pfexists. If yes, you have execution proof. If no, you have presence-only. - Cross-reference timestamps. Prefetch gives precise run
times; Amcache
KeyLastWriteTimestampgives an inventory time that bounds when the binary first appeared. The earlier of "first Prefetch run" and "first Amcache inventory" is your best estimate of when the binary arrived.
For more on the Amcache time-bound pivot, see Amcache timestamps explained.
Quick decision table#
| Your question | Look at... |
|---|---|
| Did this binary ever run on this host? | Prefetch. |
| When did this binary run? | Prefetch (up to 8/10 times). |
| Was this binary present on this host? | Amcache. |
| What is its SHA-1 hash? | Amcache Hash. |
| What was its full path? | Amcache FullPath (or recover from Prefetch metadata). |
| Did it execute multiple times? | Prefetch run count. |
| What other files did it load when it ran? | Prefetch files-loaded list. |
| Is the binary still on disk? | File-system check; Amcache does not say. |
| Did the binary's content change over time? | Amcache (rows with same FullPath, different Hash, different KeyLastWriteTimestamp). |
| Is this binary present on other hosts? | Amcache Hash and ProgramId across collected hives. |
Anti-forensics implications#
Both artefacts can be tampered with, but they have different weaknesses:
- Prefetch is per-file. An attacker who wants to clean up after
a specific binary needs only to delete that binary's
.pf. Easy and targeted. - Amcache is monolithic. Cleaning a specific entry requires editing the hive in place — possible, but more involved than deleting a file. Many attackers just delete the whole hive, which is loud (the appraiser recreates it) and forensically obvious.
- Transaction logs and VSS preserve Amcache history that the attacker may not have thought to clean. See Where Amcache.hve is on disk for the VSS recovery workflow.
In an investigation where you suspect tampering, the absence of expected entries in both artefacts is itself the finding.
See also#
- Amcache complete reference — the artefact in full.
- Amcache vs ShimCache — the other major "did this binary touch this host?" artefact.
- Amcache vs SRUM — the third execution- evidence artefact for long-window questions.
- Amcache timestamps explained — the right way to time-bound an Amcache pivot.
- Amcache for malware investigation — how Amcache and Prefetch combine in a real intrusion playbook.
Want to look at a hive alongside your Prefetch data? Drop the hive on the parser home page — it parses entirely in your browser and pairs nicely with PECmd's CSV output.
Related posts
- What's a .pf file vs an Amcache entry?
.pf files are Windows Prefetch records — proof a binary executed, with run timestamps and loaded-files lists. Amcache entries record presence, with the SHA-1 hash and metadata.
- Amcache vs SRUM: presence vs long-window resource usage
SRUM tracks resource usage by application over 30+ days; Amcache inventories every binary present on disk. Here is how they complement each other in a Windows DFIR timeline.
- Amcache vs ShimCache: when each artefact wins
ShimCache and Amcache both record binaries that touched a Windows host. They are different mechanisms with different limits — here is when to use each, and what their overlap actually proves.
- Amcache parsers compared: AmcacheParser CLI, browser tool, Volatility, RegRipper
Side-by-side comparison of the four ways to parse a Windows Amcache.hve hive in 2026 — Eric Zimmerman's AmcacheParser CLI, the browser tool, Volatility 3, and RegRipper.