AmcacheParser CLI cheatsheet: every flag, with worked examples
The practical, copy-pasteable reference for AmcacheParser.exe. For background on what the tool does, see the AmcacheParser complete guide. For details on the CSV it produces, see AmcacheParser output columns explained.
Flag reference#
Required (one of)#
| Flag | Description |
|---|---|
-f <path> |
Path to a single Amcache.hve. |
-d <dir> |
Directory to recurse, parsing every Amcache.hve found. Useful for many-host collections. |
Output#
| Flag | Description |
|---|---|
--csv <dir> |
Required. Output directory for per-category CSVs. |
--csvf <name> |
Base filename. For multi-host triage, set this to <HOSTNAME> so the CSVs sort cleanly. |
Filters and inclusion#
| Flag | Description |
|---|---|
-i |
Include IsOSComponent = true entries (Windows-shipped). Off by default. OS components add tens of thousands of low-value rows. |
--mp |
Multi-pass. Re-walk to recover orphaned entries. Costs seconds. Almost always worth it. |
--nl |
Skip transaction logs. Rarely correct. See warning below. |
Logging and debug#
| Flag | Description |
|---|---|
--debug |
Verbose debug logging to stderr. Use when a parse seems off. |
--trace |
Maximum verbosity. Pipe to a file. The output is large. |
The "good defaults" invocation#
AmcacheParser.exe -f <hive> --csv <outdir> --csvf <HOSTNAME>_amcache.csv --mpAdd -i only when you specifically need the OS-component rows (e.g. investigating a hijacked system DLL).
Transaction logs warning.
Amcache.hvewrites through.LOG1/.LOG2like every registry hive. Always collect the logs alongside the hive, and never pass--nlunless you have a specific reason. You will silently miss the most recent activity.
Worked examples#
Single host, single hive#
AmcacheParser.exe `
-f 'C:\Triage\HOST01\Windows\AppCompat\Programs\Amcache.hve' `
--csv 'C:\Triage\HOST01\out' `
--csvf 'HOST01_amcache.csv' `
--mpProduces:
C:\Triage\HOST01\out\
├── HOST01_amcache_AssociatedFileEntries.csv
├── HOST01_amcache_UnassociatedFileEntries.csv
├── HOST01_amcache_ProgramEntries.csv
├── HOST01_amcache_ShortcutEntries.csv
├── HOST01_amcache_DriverBinaries.csv
├── HOST01_amcache_DevicePnps.csv
└── HOST01_amcache_DeviceContainers.csv
Batch many hives with PowerShell#
When you have collected hives from 50 hosts into a single tree:
$root = 'C:\Cases\2026-INC-042\collected'
$outRoot = 'C:\Cases\2026-INC-042\parsed'
Get-ChildItem -Path $root -Filter Amcache.hve -Recurse | ForEach-Object {
# Parent path encodes hostname, e.g. ...\HOST01\Windows\AppCompat\Programs\Amcache.hve
$hostName = ($_.FullName -split '\\')[-5]
$hostOut = Join-Path $outRoot $hostName
New-Item -ItemType Directory -Path $hostOut -Force | Out-Null
& 'C:\Tools\ZTools\net6\AmcacheParser\AmcacheParser.exe' `
-f $_.FullName `
--csv $hostOut `
--csvf "${hostName}_amcache.csv" `
--mp |
Out-File (Join-Path $hostOut "${hostName}_amcache.log") -Encoding utf8
}The per-host log capture is the part most pipelines forget. You want to know which parses warned about missing logs or schema mismatches without re-running.
Recurse mode#
If your collection lives in a tree AmcacheParser can walk itself:
AmcacheParser.exe `
-d 'C:\Cases\2026-INC-042\collected' `
--csv 'C:\Cases\2026-INC-042\parsed' `
--mp--csvf is ignored in -d mode. Output filenames are derived from each hive's source path.
Non-Windows analyst host#
On Linux or macOS with .NET installed:
dotnet /opt/ztools/net6/AmcacheParser/AmcacheParser.dll \
-f /cases/inc-042/HOST01/Amcache.hve \
--csv /cases/inc-042/HOST01/out \
--csvf HOST01_amcache.csv \
--mpSame flags. Same output. If your team is fully non-Windows and you just need triage, the browser parser on this site removes the .NET dependency entirely.
KAPE integration#
KAPE handles both collection and parsing. The canonical pattern:
# Collect hive + transaction logs
.\kape.exe `
--tsource C: `
--target Amcache `
--tdest .\out\HOST01\collected
# Parse with AmcacheParser
.\kape.exe `
--msource .\out\HOST01\collected `
--module AmcacheParser `
--mdest .\out\HOST01\parsedKAPE's AmcacheParser module wraps the CLI flags above and writes CSVs into mdest with sensible filenames. The two-step --tsource → --msource pattern keeps collection and parsing auditable. Collection output is unaltered evidence. Parse step is reproducible from it.
For one-shot triage you can collapse to a single call by combining --tsource and --mdest in one invocation, but most engagement playbooks prefer the two-step variant.
Velociraptor integration#
The artefact Windows.Forensics.Amcache collects the hive, downloads AmcacheParser if not cached, runs it, and uploads the CSV. Typical hunt config:
artifacts:
- Windows.Forensics.Amcache
parameters:
- name: AmcacheGlob
value: 'C:\Windows\AppCompat\Programs\Amcache.hve*'Glob with * is intentional. Pulls the hive and both transaction logs in one go. The artefact handles the rest server-side.
For fleet-wide hunting, schedule the artefact on a regular cadence (weekly is typical) and route the resulting UnassociatedFileEntries rows into your SIEM. Detections that pivot on KeyLastWriteTimestamp > now - 7d AND Publisher = '' AND IsPeFile = true are noisy but cheap and high-precision for "something new appeared this week".
Operational tips#
Patterns that come up on real engagements:
- Always collect transaction logs. AmcacheParser warns but continues if they are missing. You lose the most recent writes silently.
- Use
--csvf <HOSTNAME>. When stacking 50 hosts' CSVs into one folder for cross-host pivots, hostnames in filenames save you. - Run
--mpby default. Cost is seconds. Recovered rows are sometimes the most interesting. - Never run AmcacheParser against the live hive on a suspect host. Always copy hive +
.LOG1+.LOG2first. Even though the parser opens read-only, evidentially you want a hashed copy. - Hash the input before parsing and store the hash next to the CSV output. Tiny extra step. Keeps chain of custody clean if the case ever goes to court.
Further reading#
- AmcacheParser GitHub repository for release notes, source, and issue tracker.
- KAPE documentation for the target / module model.
- Velociraptor artefact catalogue for
Windows.Forensics.Amcache.
Related#
Related posts
- AmcacheParser output columns explained: every CSV field decoded
Field-by-field reference for AmcacheParser's CSV output. FileId, PathHash, ProgramId, LinkDate, BinFileVersion, IsPeFile, and every other column, with the pivots that matter.
- AmcacheParser download guide: official sources, mirrors, and verification
Where to get AmcacheParser. Get-ZimmermanTools, direct download, KAPE, Velociraptor. Plus checksum verification and the air-gapped install pattern.
- AmcacheParser: the complete guide to Eric Zimmerman's tool
The reference for AmcacheParser. What it does, how to install and run it, how to read the CSVs, and when the browser parser is the better tool for the moment.
- Amcache parsers compared: AmcacheParser CLI, browser tool, Volatility, RegRipper
Four mature parsers for Amcache.hve. Same hive, different workflows. The decision rule comes down to install footprint, batchability, and where each one wins.