AmcacheParser: the complete guide to Eric Zimmerman's tool

AmcacheParser is the de-facto open-source tool for parsing the Windows Amcache.hve registry hive. It was written by Eric Zimmerman, a long-time digital-forensics practitioner whose tool suite (MFTECmd, RECmd, PECmd, EvtxECmd, …) is the backbone of most modern Windows forensic workflows. If you have ever triaged a Windows endpoint, you have almost certainly relied on AmcacheParser — directly or through a wrapper like KAPE.

This guide is the canonical reference for the tool: what it parses, how to install it, how to read its output, where it fits in a DFIR workflow, and when you might prefer to run the same parsing logic in a browser without installing anything (which is what this site does).

Credit where it's due. AmcacheParser is Eric Zimmerman's work. The in-browser parser hosted at amcacheparser.com is an independent project that re-implements the read path in Rust + WebAssembly for triage and education. It is not affiliated with Eric or his employer.

What is AmcacheParser?#

AmcacheParser is a command-line program (AmcacheParser.exe) that:

  1. Opens a Windows Amcache.hve registry hive (or a transaction-logged copy of one).
  2. Walks the relevant Root\InventoryApplicationFile, Root\InventoryApplication, Root\InventoryDriverBinary, Root\InventoryDeviceContainer, Root\Programs, Root\File, and other Inventory* sub-keys.
  3. Decodes the values (Windows FILETIMEs, SHA-1 file IDs, version strings, GUIDs, ...) into human-readable fields.
  4. Writes one CSV per category, plus a combined timeline.

It is intentionally a read-only, single-purpose parser: it does not interpret, score, or alert. The output is meant to flow into your analyst notebook, SIEM, Timeline Explorer, or another tool in the Zimmerman suite.

Why analysts care about Amcache#

Amcache.hve is one of the richest program-execution and program-presence artifacts on a Windows host. Unlike Prefetch (which proves a binary actually ran), Amcache often records binaries that were merely present on disk — including binaries that were deleted before you arrived. For each tracked file you typically get:

  • The full path at the time of inventory.
  • A SHA-1 hash of the first ~31 MiB of the file (the FileId).
  • The PE link date and the file size.
  • The publisher, version, and product name from the PE resource section.
  • A timestamp for when the inventory was recorded.

That combination — path + hash + link date + inventory time — is gold for incident response. It lets you pivot from "a suspicious binary ran on a neighbouring host" to "did this exact binary ever exist on this host, even briefly?" within seconds.

Who is Eric Zimmerman?#

Eric Zimmerman is a former FBI special agent and current Senior Director at Kroll, where he leads tooling for the firm's incident-response practice. He has been publishing open-source DFIR tools at ericzimmerman.github.io for over a decade. AmcacheParser sits in the Get-ZimmermanTools family alongside:

  • MFTECmd$MFT, $LogFile, $J, $Boot, $SDS parser
  • RECmd — registry hive command-line and batch processor
  • RBCmd — Recycle Bin parser
  • PECmd — Prefetch parser
  • EvtxECmd — Windows Event Log parser
  • JLECmd — Jump List parser
  • LECmd — LNK parser
  • SBECmd — Shellbag Explorer CLI

If you only learn one DFIR toolset, the Zimmerman suite is the one most employers will expect you to know.

How AmcacheParser works under the hood#

Amcache.hve is a standard Windows registry hive file — the same binary format used by SYSTEM, SOFTWARE, SAM, and NTUSER.DAT. AmcacheParser opens the file, walks the hive bins and cells, follows the key/value tree, and decodes typed values. The fields most analysts care about are encoded in three slightly annoying ways:

  • Windows FILETIMEs — 64-bit values counting 100 ns ticks since 1601-01-01 UTC. AmcacheParser converts these to ISO-8601 UTC.
  • PE link dates — 32-bit time_t values from the PE header IMAGE_FILE_HEADER.TimeDateStamp. These are not file-system times; they are set at compile/link time and are a useful pivot.
  • SHA-1 FileId — a 41-character string "0000" + sha1_hex. The leading 0000 is a historical type tag; the trailing 40 hex characters are the SHA-1 of the first 31 MiB of the file as Amcache saw it.

The hive itself is written by the Microsoft Compatibility Appraiser scheduled task (\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser). On modern Windows 10/11 builds this runs roughly daily, which is why Amcache.hve is one of the best "longitudinal presence" artifacts you have.

Transaction logs matter#

Like any registry hive, Amcache.hve has companion .LOG1 / .LOG2 transaction logs. If you copy only the hive without its logs, you can miss the most recent writes. AmcacheParser handles transaction logs correctly when you point it at a directory or pass the logs alongside the hive — always collect them together.

Installing AmcacheParser#

There are three common ways to get the tool. All produce the same binary; pick the one that matches your environment.

Option 1 — Get-ZimmermanTools (recommended)#

The official installer is a small PowerShell script that downloads the full suite into a target folder and keeps it updated.

# Create a tools folder and pull the latest .NET 6 builds
mkdir C:\Tools\ZTools
cd    C:\Tools\ZTools
Invoke-WebRequest `
  -Uri 'https://raw.githubusercontent.com/EricZimmerman/Get-ZimmermanTools/master/Get-ZimmermanTools.ps1' `
  -OutFile Get-ZimmermanTools.ps1
.\Get-ZimmermanTools.ps1 -Dest C:\Tools\ZTools -NetVersion 6

After it finishes, AmcacheParser.exe lives under C:\Tools\ZTools\net6\AmcacheParser\. Re-running the script later updates every tool in place.

Option 2 — Direct download from ericzimmerman.github.io#

The landing page at ericzimmerman.github.io links a zip for each tool. This is the right path if PowerShell egress is blocked on the analyst workstation.

Option 3 — Bundled inside KAPE or Velociraptor#

If you use KAPE or Velociraptor, AmcacheParser is already vendored as part of their module / artifact catalogues. You usually do not install it separately — you invoke it through a target / module definition that also collects the hive for you.

For a full breakdown of mirrors, checksums, and air-gapped install patterns, see the AmcacheParser download guide.

Quick start: parsing a hive#

The minimum invocation is two flags:

AmcacheParser.exe `
  -f "C:\Triage\Windows\AppCompat\Programs\Amcache.hve" `
  --csv "C:\Triage\Output\Amcache"

That writes one CSV per Inventory* category into the output folder. For a full incident, you almost always want a few more flags:

AmcacheParser.exe `
  -f "C:\Triage\Windows\AppCompat\Programs\Amcache.hve" `
  --csv "C:\Triage\Output\Amcache" `
  --csvf "HOSTNAME_amcache.csv" `
  -i `
  --mp
  • --csvf controls the base filename so multi-host triage stays navigable.
  • -i includes entries flagged with IsOSComponent = true (off by default because they balloon the noise).
  • --mp ("multi-pass") parses orphaned / unassociated entries that would otherwise be dropped.

The full flag matrix lives in the AmcacheParser CLI cheatsheet.

Loading the output in Timeline Explorer#

The CSVs are designed for Eric's Timeline Explorer. Drag any *_UnassociatedFileEntries.csv or *_AssociatedFileEntries.csv into Timeline Explorer and you get sortable, filterable columns and an instant "all activity in this window" view.

Reading the CSV output#

AmcacheParser writes a different schema per category. The four you will touch on almost every case are:

File What it contains
*_UnassociatedFileEntries.csv Files Amcache saw on disk that are not tied to a registered Inventory Application. The richest pivot table for unknown binaries.
*_AssociatedFileEntries.csv Files linked to an InventoryApplication (installed product).
*_DriverBinaries.csv Loaded driver binaries — critical for kernel-rootkit investigations.
*_DeviceContainers.csv Connected device history (printers, monitors, removable media controllers).

The columns you will pivot on most often:

  • ApplicationName / Name — display name as Windows resolved it.
  • FullPath — full path at inventory time.
  • FileExtension — convenient for .exe / .dll filtering.
  • Hash (SHA-1) — the FileId minus the "0000" prefix.
  • LinkDate — PE compile time.
  • FileVersionString, ProductName, Publisher, PublisherName.
  • Size — file size in bytes at inventory.
  • IsPeFile, IsOsComponent — quick filters.
  • KeyLastWriteTimestamp — registry-level last-write of the containing key. Treat this as the "inventory time" pivot.

Every column, including the less-common Inventory categories, is documented in AmcacheParser output columns explained.

Worked examples#

A few queries that earn their keep on real cases:

Find unsigned PE files in user-writable paths (post-process in PowerShell):

Import-Csv .\HOST_amcache_UnassociatedFileEntries.csv |
  Where-Object {
    $_.IsPeFile -eq 'True' -and
    -not $_.Publisher    -and
    $_.FullPath -match '\\Users\\|\\ProgramData\\|\\AppData\\'
  } |
  Select-Object KeyLastWriteTimestamp, FullPath, Hash, Size |
  Sort-Object KeyLastWriteTimestamp

Pivot on a known-bad SHA-1 across many hosts:

Get-ChildItem -Recurse -Filter *_UnassociatedFileEntries.csv |
  ForEach-Object {
    Import-Csv $_.FullName |
      Where-Object { $_.Hash -eq 'da39a3ee5e6b4b0d3255bfef95601890afd80709' } |
      Select-Object @{n='Host';e={$_.PSChildName.Split('_')[0]}}, FullPath, KeyLastWriteTimestamp
  }

Where AmcacheParser fits in a DFIR workflow#

Most investigators reach for Amcache after Prefetch and Event Logs, because it answers a different question:

Artifact Answers
Prefetch "Did this binary execute on this host?"
Event Log (4688 / Sysmon 1) "Did this process run, with what command line, from what parent?"
ShimCache (AppCompatCache) "Was this binary touched by the loader recently?"
Amcache "Has this binary ever been present on this host, with what hash and at what path?"

Amcache's killer feature is deleted-binary recall: a wiper can clear the file from disk, but the inventory snapshot persists in the hive until the next appraiser pass — and even then the previous run is often still in the transaction logs. We cover the Amcache-vs-Prefetch-vs-ShimCache distinction in depth in Understanding Amcache for Windows forensics.

Pipeline patterns#

The two most common production patterns:

  1. KAPE collect + KAPE parse. KAPE's Amcache target collects the hive + logs; its AmcacheParser module runs the parser into a per-host output folder. One command, ready for Timeline Explorer.

  2. Velociraptor Windows.Forensics.Amcache. Velociraptor's artifact pulls the hive, runs AmcacheParser server-side, and uploads the CSV. Pair with a hunt to fan it across thousands of endpoints.

Both patterns are covered with copy-pastable commands in the CLI cheatsheet.

The browser-based alternative#

The tool hosted on this site is a re-implementation of the read path in Rust + WebAssembly. It exists because there are situations where the Windows CLI is the wrong tool for the moment:

  • A non-Windows analyst opens a .hve in their browser without installing the .NET runtime or a Zimmerman build.
  • A student wants to see what Amcache looks like before paying for a full DFIR lab.
  • Triaging on a locked-down host where deploying new binaries needs a change-control ticket.
  • Showing a hive to a stakeholder over a screen-share without exposing it to a third-party server.

The file never leaves your browser. Parsing happens client-side in WebAssembly; there is no upload, no server-side processing, no telemetry. Drop a hive on the home page to try it.

For full investigations on a Windows analyst workstation, Eric's official AmcacheParser.exe remains the right tool — it handles every edge case, integrates with the rest of the suite, and produces the CSV format every downstream tool expects. The browser version is for triage, education, and the cases where installing anything is the wrong answer.

Frequently asked questions#

Is AmcacheParser free?#

Yes. It is published under a permissive license by Eric Zimmerman and free for any use, including commercial DFIR engagements.

What operating systems does AmcacheParser run on?#

AmcacheParser.exe is a .NET 6 / .NET 9 application. It runs on Windows out of the box and on Linux / macOS through the .NET runtime (dotnet AmcacheParser.dll on non-Windows hosts when using the framework-dependent build).

Does AmcacheParser modify the hive?#

No. It opens the hive read-only and writes only the CSV output to the path you specify with --csv.

What is the difference between AmcacheParser and RegRipper's amcache plugin?#

Both parse the same hive. RegRipper's plugin emits a human-readable text report; AmcacheParser emits structured CSV with one row per inventory entry, which is dramatically easier to load into a spreadsheet, SIEM, or Timeline Explorer. Most modern playbooks use AmcacheParser; RegRipper remains popular for one-off interactive analysis.

Does Amcache record every executed binary?#

No. Amcache records presence and inventory metadata, not execution. A binary can appear in Amcache without ever running, and a binary can run without appearing in Amcache if the appraiser hasn't swept since. Pair it with Prefetch and process-creation events to prove execution.

Where is Amcache.hve located on a live system?#

C:\Windows\AppCompat\Programs\Amcache.hve, with transaction logs Amcache.hve.LOG1 and Amcache.hve.LOG2 next to it. KAPE's Amcache target collects all three.

Can I use AmcacheParser on a memory image?#

Not directly. AmcacheParser parses the on-disk hive format. To analyse Amcache from memory, use Volatility's registry plugins to extract the hive first, then feed it to AmcacheParser.

Further reading#

Ready to look at a hive right now? Drop one on the parser home page — it never leaves your browser.

Tagsforensicswindowsamcacheamcacheparserdfir

Related posts

Back to all posts