Amcache on Windows Server: cadence, coverage, and quirks

Amcache on Windows Server uses the same hive format and the same Inventory* schema as Windows 10 / 11 (covered in Amcache on Windows 11). The differences are in cadence, coverage, and operating context. None of those change how you parse. All of them change how you reason about the data.

This page is the Server-specific reference for analysts working on Server 2016, 2019, 2022, 2025, and their Server Core editions.

For the broader artefact reference, see the Amcache complete reference. For the path and collection workflow on any Windows, see Where Amcache.hve is on disk.

What's the same#

On Windows Server 2016 onward you get:

  • Same file path: C:\Windows\AppCompat\Programs\Amcache.hve + .LOG1 + .LOG2.
  • Same Inventory* schema as Windows 10 1709+ / Windows 11.
  • Same AmcacheParser.exe produces the same CSV categories.
  • Same triage filters apply (unsigned PE in user-writable path, etc).

Same playbooks, queries, tools. Cross-host pivots described in Lateral movement and Amcache ProgramId pivoting work across mixed workstation + server environments without modification.

What's different#

Appraiser cadence is slower#

The Compatibility Appraiser scheduled task runs less often on Servers. Typical intervals:

  • Workstation (Win 10/11): ~24h.
  • Server with Desktop Experience: 2-5 days.
  • Server Core: weekly or longer. Sometimes only on policy trigger.

Consequence: KeyLastWriteTimestamp precision on a Server hive is looser. A binary's first appearance in Amcache may lag its first appearance on disk by several days. For hour-precision first-seen, fall back to Sysmon / Security 4688 / MFT timestamps.

Less interactive activity, smaller hives#

A typical Server hive is smaller than a workstation hive of the same age:

  • Few or no \Users\<x>\AppData\... entries. Server accounts rarely log on interactively.
  • Fewer ad-hoc binaries. Production servers run a stable set of services.
  • Driver and device records are stable. Servers rarely connect new USB / Bluetooth devices.

Sizes:

Server type Typical hive size (1 year)
Server Core (production) 2-6 MB
Server with Desktop Experience (production) 4-10 MB
Server with Desktop Experience (jumphost, admin RDP) 10-25 MB
Domain controller 4-12 MB

A jumphost (a server admins RDP into for cross-domain work) tends to look more like a workstation than a server: lots of interactive activity, lots of administrative tooling, lots of ad-hoc downloads. These are also the highest-value Server hives in most investigations.

Less LOLBIN noise, more LOLBIN signal#

Servers run a narrow set of LOLBINs (net.exe, wmic.exe, schtasks.exe, PowerShell). Any unusual LOLBIN execution on a production server stands out. Triage filters can be tighter:

Import-Csv .\SERVER01_amcache_AssociatedFileEntries.csv |
 Where-Object {
  $_.FullPath -match '\\System32\\(net|wmic|schtasks|certutil|bitsadmin|regsvr32)\.exe$'
 }

If the binary appears in Amcache and KeyLastWriteTimestamp is recent, cross-reference Security 4688 for actual command-line execution. On a server, every command-line use of these tools deserves a look.

Server Core specifics#

Server Core (no Desktop Experience) is the leaner installation for production workloads where admin happens via PowerShell remoting or management UIs. Quirks:

Even slower appraiser#

Server Core appraiser intervals of a week or more are normal. A hive untouched for two weeks is not necessarily sabotage.

No interactive Start menu / shortcut data#

InventoryApplicationShortcut is sparse or empty. No Start menu to inventory. Don't pivot on shortcut data on Server Core.

Heavily hardened installs#

Some hardened Server Core builds disable the appraiser entirely. On those, Amcache is frozen at install time or shortly after. Check the appraiser scheduled task and the registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\AmcacheUpdater\DisableScheduled (name varies by build) to confirm.

If the appraiser is intentionally disabled, Amcache is not a useful artefact on that host. Fall back to Sysmon, EDR, and the regular Windows event logs.

Hardened / non-CEIP servers#

Some organisations disable CEIP and related telemetry on production servers by policy. The appraiser is part of that telemetry; disabling CEIP often disables the appraiser by side effect.

Signs the appraiser is off:

  • Amcache.hve exists but KeyLastWriteTimestamp distribution stops at install time + a few days, with no newer entries.
  • Hive is small (<2 MB on a long-running server).
  • Scheduled task \Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser is disabled or has a LastRunTime matching install date.
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection\AllowTelemetry = 0 by GPO.

On these hosts, Amcache is not the right artefact. Use:

  • Sysmon for real-time process / file / network telemetry (if deployed).
  • Security event log with command-line auditing (4688 with ProcessCmdLine).
  • PowerShell operational log for script execution.
  • EDR for binary inventory and execution.

Domain controllers#

DCs are a special case worth treating with extra care:

  • They're servers, so all Server-cadence caveats apply.
  • They're the highest-value targets in any environment. Any Amcache entry pointing at an unfamiliar binary deserves immediate triage.
  • Many organisations restrict interactive logon to DCs, so the presence of any \Users\<admin>\AppData\... row on a DC is itself unusual regardless of the binary's hash.

Useful baseline filter for DCs:

Import-Csv .\DC01_amcache_UnassociatedFileEntries.csv |
 Where-Object {
  $_.FullPath -match '\\Users\\' -and
  $_.IsPeFile -eq 'True'
 }

Any non-empty result on a DC warrants direct attention.

RDS / Citrix / multi-user session hosts#

Remote Desktop Session Hosts and Citrix servers are the most workstation-like servers from an Amcache perspective:

  • Many user profiles, many \Users\ paths to triage.
  • Lots of interactive activity, lots of inventory churn.
  • Frequently used as jumphosts and pivot points.

Treat the hive like a workstation hive. But account for the slower appraiser cadence. The "unsigned PE in user-writable path" filter is the most productive starting point.

Cluster / failover scenarios#

On Windows Server Failover Clustering, each node has its own Amcache.hve. Collect from every node. A binary that appeared on one cluster node may not have appeared on others, especially if the attacker compromised only one.

For investigations on highly-available services (SQL AlwaysOn, Exchange DAG, Hyper-V clusters), per-node Amcache is part of the standard collection set alongside the cluster log (Get-ClusterLog) and application-level logs.

Decision table#

Server type Use Amcache? Notes
Production app server (stable) Yes Slower cadence. Very low FP rate. Any hit is significant.
Database / DC Yes, with care Special-attention hosts. Tight filter on user paths.
Jumphost / RDS / Citrix Yes - primary Highest-value Server hive. Treat like a workstation.
Hardened Server Core (CEIP off) No Hive frozen. Use Sysmon / EDR instead.
Failover cluster node Yes, collect all nodes Per-node analysis. Cross-correlate.

Further reading#

  • Microsoft documentation for Server-specific telemetry policy.
  • The AllowTelemetry GPO reference and its build-by-build behaviour.

Related posts

Back to all posts