Amcache on Windows Server: cadence, coverage, and quirks

Amcache on Windows Server uses the same hive format and the same Inventory* schema as Windows 10 / 11 (covered in Amcache on Windows 11). The differences are in cadence, coverage, and operating context — none of which change how you parse, but all of which change how you reason about the data.

This page is the Server-specific reference for DFIR analysts working on Server 2016, 2019, 2022, 2025, and the corresponding Server Core editions.

For the broader artefact reference, see the Amcache complete reference. For the path and collection workflow on any Windows, see Where Amcache.hve is on disk.

What's the same#

On Windows Server 2016 onward, you get:

  • The same file path: C:\Windows\AppCompat\Programs\Amcache.hve + .LOG1 + .LOG2.
  • The same Inventory* schema as Windows 10 1709+ / Windows 11.
  • The same AmcacheParser.exe produces the same CSV categories.
  • The same triage filters apply (unsigned PE in user-writable path, etc.).

You can use the same playbooks, queries, and tools. Cross-host pivots described in Lateral movement and Amcache ProgramId pivoting work across mixed workstation + server environments without modification.

What's different#

Appraiser cadence is slower#

The Compatibility Appraiser scheduled task runs less frequently on Servers than on workstations. Typical intervals:

  • Workstation (Windows 10 / 11): ~24 h.
  • Server with Desktop Experience: 2–5 days between runs.
  • Server Core: weekly or longer; sometimes only on policy trigger.

The consequence: KeyLastWriteTimestamp precision on a Server hive is looser than on a workstation hive. A binary's first appearance in Amcache may lag its first appearance on disk by several days. For investigations that need hour-precision first-seen times, fall back to Sysmon / Security 4688 / MFT timestamps.

Less interactive activity → smaller hives#

A typical Server hive is smaller than a workstation hive of the same age:

  • Few or no \Users\<x>\AppData\... entries — server accounts rarely log on interactively.
  • Fewer ad-hoc binaries — production servers run a stable set of services.
  • Driver and device records are stable (servers rarely connect new USB / Bluetooth devices).

Sizes:

Server type Typical hive size (1 year)
Server Core (production) 2–6 MB
Server with Desktop Experience (production) 4–10 MB
Server with Desktop Experience (jumphost, admin RDP) 10–25 MB
Domain controller 4–12 MB

A jumphost — a server that admins RDP into for cross-domain work — tends to look more like a workstation than a server: lots of interactive activity, lots of administrative tooling, lots of ad-hoc downloads. These are also the highest-value Server hives in most investigations.

Less LOLBIN noise, more LOLBIN signal#

Servers run a narrow set of LOLBINs (net.exe, wmic.exe, schtasks.exe, PowerShell). Any unusual LOLBIN execution on a production server stands out. Triage filters can be tighter:

Import-Csv .\SERVER01_amcache_AssociatedFileEntries.csv |
  Where-Object {
    $_.FullPath -match '\\System32\\(net|wmic|schtasks|certutil|bitsadmin|regsvr32)\.exe$'
  }

If the binary appears in Amcache and the KeyLastWriteTimestamp is recent, cross-reference with Security 4688 for the actual command-line execution. On a server, every command-line use of these tools is worth a look.

Server Core specifics#

Server Core (no Desktop Experience) is the leaner installation mode used for production workloads where admin access happens via PowerShell remoting or the management UIs. Quirks:

Even slower appraiser#

Server Core appraiser intervals of a week or more are normal. A hive that has not been updated in two weeks is not necessarily sabotage.

No interactive Start menu / shortcut data#

InventoryApplicationShortcut is sparse or empty — there is no Start menu to inventory. Don't pivot on shortcut data on Server Core.

Heavily-hardened / locked-down installs#

Some hardened Server Core builds disable the appraiser entirely. On those, Amcache is frozen at install time or shortly after. Check the appraiser scheduled task and the registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\AmcacheUpdater\DisableScheduled (name varies by build) to confirm.

If the appraiser is intentionally disabled, Amcache is not a useful artefact on that host. Fall back to Sysmon, EDR, and the regular Windows event logs.

Hardened / non-CEIP servers#

Some organisations disable the Customer Experience Improvement Program (CEIP) and related telemetry on production servers by policy. The appraiser is part of that telemetry infrastructure; disabling CEIP often disables the appraiser by side effect.

Signs the appraiser has been disabled:

  • Amcache.hve exists but has a KeyLastWriteTimestamp distribution that stops at install time + a few days, with no newer entries.
  • The hive is small (<2 MB on a long-running server).
  • The scheduled task \Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser is disabled or has a LastRunTime matching the install date.
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection\AllowTelemetry is set to 0 by GPO.

On these hosts, Amcache is not the right artefact. Use:

  • Sysmon for real-time process / file / network telemetry (assuming it is deployed).
  • Security event log with command-line auditing enabled (4688 with ProcessCmdLine).
  • PowerShell operational log for script execution.
  • EDR for binary inventory and execution.

Domain controllers#

DCs are a special case worth treating with extra care:

  • They are servers, so all the Server-cadence caveats apply.
  • They are the highest-value targets in any environment, so any Amcache entry pointing at an unfamiliar binary deserves immediate triage.
  • Many organisations restrict interactive logon to DCs, so the presence of any \Users\<admin>\AppData\... row on a DC is itself unusual and worth investigating regardless of the binary's hash.

A useful baseline filter for DCs:

Import-Csv .\DC01_amcache_UnassociatedFileEntries.csv |
  Where-Object {
    $_.FullPath -match '\\Users\\' -and
    $_.IsPeFile -eq 'True'
  }

Any non-empty result on a DC warrants direct attention.

RDS / Citrix / multi-user session hosts#

Remote Desktop Session Hosts and Citrix servers are the most workstation-like servers from an Amcache perspective:

  • Many user profiles → many \Users\ paths to triage.
  • Lots of interactive activity → lots of inventory churn.
  • Frequently used as jumphosts and pivot points.

On these, treat the hive as you would a workstation hive — but with the slower appraiser cadence in mind. The "unsigned PE in user-writable path" filter is the most productive starting point.

Cluster / failover scenarios#

On Windows Server Failover Clustering, each node has its own Amcache.hve. Collect from every node — a binary that appeared on one cluster node may not have appeared on others, especially if the attacker compromised only one.

For investigations on highly-available services (SQL AlwaysOn, Exchange DAG, Hyper-V clusters), the per-node Amcache is part of the standard collection set alongside the cluster log (Get-ClusterLog) and the application-level logs.

Quick decision table#

Server type Use Amcache? Notes
Production app server (stable) Yes Slower cadence; very low FP rate; any hit is significant.
Database / DC Yes, with care Special-attention hosts; tight filter on user paths.
Jumphost / RDS / Citrix Yes — primary Highest-value Server hive; treat like workstation.
Hardened Server Core (CEIP off) No Hive frozen; use Sysmon / EDR instead.
Failover cluster node Yes — collect all nodes Per-node analysis; cross-correlate.

See also#

To explore a Server hive without installing anything, drop the file on the parser home page — it parses entirely in your browser.

Tagsforensicswindowsamcachedfirwindows-server

Related posts

Back to all posts