Amcache on Windows 11 and Windows 10: schema, cadence, and quirks
Amcache reached its mature, modern shape in Windows 10 build 1709 (Fall Creators Update) and has been consistent in its broad strokes ever since on Windows 10 and Windows 11. The hive on a Windows 11 workstation today is read and analysed the same way it was on a Windows 10 1809 workstation in 2018 — but a handful of build-specific quirks have accumulated over the years, and knowing them keeps you from misreading evidence.
This page is the per-build reference for modern Windows. For Server specifics, see Amcache on Windows Server. For the broader artefact reference, see the Amcache complete reference.
The schema across Windows 10 builds#
The Inventory* schema was added in Windows 10 build 1709
(Fall Creators Update, October 2017). Before that, Amcache on
Windows 10 used only the legacy Root\Programs and Root\File
keys — much sparser data per entry.
The headline Inventory* keys added in 1709:
Root\InventoryApplicationRoot\InventoryApplicationFileRoot\InventoryDriverBinaryRoot\InventoryDeviceContainerRoot\InventoryDevicePnp
Subsequent Windows 10 feature updates have added or refined keys but kept the overall structure stable:
| Build | Notable Amcache change |
|---|---|
| 1709 | Inventory* schema introduced. |
| 1803 | InventoryApplicationFramework added. |
| 1809 | InventoryApplicationShortcut added (Start menu / pinned shortcuts). |
| 1903 | InventoryDeviceInterface added. |
| 1909 | Schema refinements; no major new keys. |
| 2004 | InventoryDriverPackage added (driver package metadata). |
| 20H2 | Schema stable. |
| 21H1 / 21H2 | Schema stable. |
| 22H2 | Final feature update; schema stable. |
In practice: anything from Windows 10 build 1709 onward has the
modern Inventory* schema and parses cleanly with current
AmcacheParser builds.
The schema on Windows 11#
Windows 11 inherits the late-Windows-10 schema with minor additions:
InventoryMiscellaneousUUPInforecords Unified Update Platform package metadata. Rarely useful in DFIR.InventoryDeviceMediaClassmore aggressively records audio / video device sub-classifications. Useful for distinguishing USB-audio devices from USB-mass-storage devices when a single USB container exposes multiple interfaces.- Driver records under
InventoryDriverBinaryinclude slightly more package-metadata fields, particularly around WHQL signing state.
There are no breaking changes between Windows 10 (post-1709) and
Windows 11 from a parsing standpoint. The same AmcacheParser.exe
binary handles both.
Appraiser cadence#
The Compatibility Appraiser scheduled task populates the hive. Its cadence on modern Windows:
- Windows 11 workstation: roughly daily, typically once overnight when the host is idle. The exact trigger is a combination of idle-time triggers and a time-based trigger with random delay.
- Windows 10 workstation: same pattern.
- Tablet / convertible: less frequent — the appraiser is power-aware and skips when on battery.
- Domain-joined workstation with Microsoft Endpoint Manager: some MEM policies adjust the cadence; behaviour can vary.
The practical consequence: a freshly-installed Windows 11 host that has been running for less than 24 hours may have a very thin Amcache. Conversely, a workstation that has been on for years has a hive with thousands of entries spanning the full history.
Hive size on modern Windows#
Typical sizes:
| Workload | Typical hive size | Notes |
|---|---|---|
| Fresh Windows 11 install (1 week) | 2–4 MB | Few entries; light driver / device data. |
| Standard office workstation (6 months) | 8–15 MB | Hundreds of InventoryApplicationFile rows; full driver and device records. |
| Developer workstation (1+ year) | 25–50 MB | Thousands of file entries from build artefacts; many LinkDate clusters. |
| Server (1+ year) | 5–15 MB | Smaller — fewer interactive apps, narrower scope. |
A hive much smaller than the workload suggests can be a flag for the appraiser being disabled (intentionally or via sabotage) — see Recovering deleted-binary evidence from Amcache.
Build-specific quirks worth knowing#
A handful of quirks that catch analysts off-guard:
Windows 10 1909 / 2004 hash truncation edge case#
On a small subset of Windows 10 1909 and 2004 hives, very large
binaries (>~1 GB) occasionally have an empty FileId rather than
a prefix-hash FileId. The behaviour was reportedly resolved in
later cumulative updates but appears in archived hives from that
era. Treat empty Hash rows for large files as "no hash captured"
rather than "binary is unique".
Windows 11 22H2+ device-container churn#
Windows 11 22H2 introduced more aggressive re-enumeration of
device containers across Windows Update reboots, which can produce
"new" InventoryDeviceContainer rows for devices that have been
on the host for months. The KeyLastWriteTimestamp on these rows
reflects the re-enumeration, not first-connect. Cross-reference
with setupapi.dev.log and USBSTOR for true first-connect
timestamps.
ProgramId instability across Windows feature upgrades#
A workstation that was upgraded from Windows 10 21H2 to Windows 11
22H2 may have different ProgramId values for the same
application before and after the upgrade. The cross-host
ProgramId pivot still works for hosts on the same major build;
across upgrades, also pivot on Hash (more stable across
upgrades) — see
Amcache ProgramId explained.
Inbox app churn on Windows 11#
Windows 11 ships and removes inbox apps (the built-in store apps)
on a faster cadence than Windows 10 did. You see frequent
InventoryApplicationFile rows for the AppX layer that come and
go between feature updates. These are usually safely filtered by
Publisher = 'Microsoft Corporation' and an AppX-style path
under \Program Files\WindowsApps\.
Modern Standby / connected standby and the appraiser#
On laptops in Modern Standby / connected standby, the appraiser trigger semantics differ from a desktop. You can see slightly longer appraiser intervals (sometimes 36–48 hours) on heavily-used laptops because the idle-time trigger rarely fires. Account for this when reasoning about first-seen times.
Differences from older Windows#
Three things to remember when comparing Windows 10 / 11 Amcache to older Windows:
vs Windows 7 / Server 2008 R2#
No equivalent — Windows 7 has RecentFileCache.bcf, a flat binary
file. See Where Amcache.hve is on disk
for the path and parser.
vs Windows 8 / 8.1 / Server 2012 / 2012 R2#
Amcache.hve exists but with only the legacy Programs and
File keys. AmcacheParser produces *_ProgramEntries.csv but no
*_UnassociatedFileEntries.csv. Far less per-file detail.
vs early Windows 10 (pre-1709)#
Same legacy-only schema as Windows 8.x. The big shift to
Inventory* was 1709.
Practical implications for triage#
A few rules that follow from all the above:
- For Windows 10 1709+ and Windows 11, AmcacheParser CSVs have
*_UnassociatedFileEntries.csvand*_AssociatedFileEntries.csv. That's the triage focus. - For Windows 8 / 8.1 / Server 2012, focus on
*_ProgramEntries.csvand recognise that per-file metadata is thin. - For Windows 7, use a dedicated
RecentFileCache.bcfparser — AmcacheParser does not handle it. - For Server builds, allow for longer appraiser intervals; do not draw fine-grained first-seen conclusions on hour timescales.
- For laptops in Modern Standby, allow for similar variability.
See also#
- Amcache complete reference — the artefact in full.
- Amcache on Windows Server — server-specific behaviour.
- Where Amcache.hve is on disk — per-version file paths.
- Amcache registry structure —
the modern
Inventory*schema in full. - Amcache timestamps explained — how to handle appraiser-cadence variability in your timelines.
To explore a Windows 10 or 11 hive right now without installing anything, drop the file on the parser home page — it parses entirely in your browser.
Related posts
- Volatility and Amcache: extracting the hive from memory images
A practical guide to recovering Amcache from a Windows memory image using Volatility — when memory-side recovery is the only option, which plugins to use, and how to hand off to AmcacheParser.
- RegRipper amcache plugin: what it does and when to use it
A practical guide to RegRipper's amcache plugin — what it parses, how its text output differs from AmcacheParser's CSV, and when to reach for it instead of (or alongside) the Zimmerman tool.
- AmcacheParser output columns explained: every CSV field decoded
A field-by-field reference for AmcacheParser's CSV output — FileId, PathHash, ProgramId, LinkDate, BinFileVersion, IsPeFile, and every other column, with the pivots that matter in DFIR.
- AmcacheParser download guide: official sources, mirrors, and verification
Every way to download Eric Zimmerman's AmcacheParser — Get-ZimmermanTools, direct download, KAPE, Velociraptor — with checksum verification and air-gapped install patterns.