AmcacheParser: the complete guide to Eric Zimmerman's tool
AmcacheParser is the de facto open-source tool for parsing Amcache.hve. Written by Eric Zimmerman, whose tool suite (MFTECmd, RECmd, PECmd, EvtxECmd, ...) is the backbone of most modern Windows forensic workflows. If you have triaged a Windows endpoint in the last decade, you have relied on AmcacheParser directly or via a wrapper like KAPE.
This guide is the canonical reference. What it parses, how to install it, how to read the output, where it fits in DFIR, and when you might prefer to run the same parsing logic in a browser without installing anything (which is what this site does).
Credit. AmcacheParser is Eric Zimmerman's work. The in-browser parser at amcacheparser.com is an independent project that re-implements the read path in Rust + WebAssembly for triage and education. Not affiliated with Eric or his employer.
What AmcacheParser is#
A command-line program (AmcacheParser.exe) that:
- Opens a Windows
Amcache.hveregistry hive (or a transaction-logged copy of one). - Walks the relevant
Root\InventoryApplicationFile,Root\InventoryApplication,Root\InventoryDriverBinary,Root\InventoryDeviceContainer,Root\Programs,Root\File, and otherInventory*sub-keys. - Decodes the values (Windows FILETIMEs, SHA-1 FileIds, version strings, GUIDs) into human-readable fields.
- Writes one CSV per category, plus a combined timeline.
Intentionally read-only, single-purpose. Does not interpret, score, or alert. Output flows into your analyst notebook, SIEM, Timeline Explorer, or another tool in the Zimmerman suite.
Why analysts care about Amcache#
Amcache.hve is one of the richest program-execution and program-presence artefacts on a Windows host. Unlike Prefetch (which proves execution), Amcache often records binaries that were merely present on disk, including binaries deleted before you arrived. Per file you typically get:
- Full path at inventory time.
- SHA-1 of the first 31 MiB (the
FileId). - PE link date and file size.
- Publisher, version, product name from the PE resource section.
- Timestamp for when the inventory was recorded.
That combination - path + hash + link date + inventory time - is gold for incident response. You can pivot from "a suspicious binary ran on a neighbouring host" to "did this exact binary ever exist on this host, even briefly?" in seconds.
Who is Eric Zimmerman#
Former FBI special agent, now Senior Director at Kroll, where he leads tooling for the firm's incident-response practice. He has been publishing open-source DFIR tools at ericzimmerman.github.io for over a decade. AmcacheParser is one of about a dozen tools in the Get-ZimmermanTools family:
MFTECmd:$MFT,$LogFile,$J,$Boot,$SDSRECmd: registry hive command-line and batch processorRBCmd: Recycle Bin parserPECmd: Prefetch parserEvtxECmd: Windows Event Log parserJLECmd: Jump List parserLECmd: LNK parserSBECmd: Shellbag Explorer CLI
If you only learn one DFIR toolset, the Zimmerman suite is the one most employers will expect.
How it works#
Amcache.hve is a standard Windows registry hive (regf format), same as SYSTEM, SOFTWARE, SAM, and NTUSER.DAT. AmcacheParser opens the file, walks the hive bins and cells, follows the key/value tree, and decodes typed values. The fields most analysts care about are encoded in three slightly annoying ways:
- Windows FILETIMEs: 64-bit values counting 100 ns ticks since 1601-01-01 UTC. AmcacheParser converts to ISO-8601 UTC.
- PE link dates: 32-bit
time_tvalues from the PE headerIMAGE_FILE_HEADER.TimeDateStamp. Not filesystem times. Set at compile/link time. Useful pivot. - SHA-1
FileId: a 41-character string"0000" + sha1_hex. The leading0000is a historical type tag. The trailing 40 hex characters are the SHA-1 of the first 31 MiB.
The hive is written by the Microsoft Compatibility Appraiser scheduled task (\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser). On modern Windows 10/11 this runs roughly daily, which is why Amcache is one of the best longitudinal presence artefacts you have.
Transaction logs matter#
Like every registry hive, Amcache.hve has companion .LOG1 / .LOG2 transaction logs. Copy only the hive and you miss the most recent writes. AmcacheParser handles transaction logs correctly when you point it at a directory or keep the logs alongside the hive. Always collect together.
Installing AmcacheParser#
Three ways. All produce the same binary. Pick the one that matches your environment.
Option 1: Get-ZimmermanTools (recommended)#
The official installer is a small PowerShell script that downloads the full suite and keeps it updated.
mkdir C:\Tools\ZTools
cd C:\Tools\ZTools
Invoke-WebRequest `
-Uri 'https://raw.githubusercontent.com/EricZimmerman/Get-ZimmermanTools/master/Get-ZimmermanTools.ps1' `
-OutFile Get-ZimmermanTools.ps1
.\Get-ZimmermanTools.ps1 -Dest C:\Tools\ZTools -NetVersion 6After it finishes, AmcacheParser.exe lives under C:\Tools\ZTools\net6\AmcacheParser\. Re-running the script later updates every tool in place.
Option 2: Direct download from ericzimmerman.github.io#
The landing page at ericzimmerman.github.io links a zip per tool. Right path if PowerShell egress is blocked on the analyst workstation.
Option 3: Bundled in KAPE or Velociraptor#
If you use KAPE or Velociraptor, AmcacheParser is vendored in their module / artifact catalogues. You don't install it separately. You invoke it through a target or module that also collects the hive for you.
For mirrors, checksums, and air-gapped install patterns, see the AmcacheParser download guide.
Quick start#
Minimum invocation:
AmcacheParser.exe `
-f "C:\Triage\Windows\AppCompat\Programs\Amcache.hve" `
--csv "C:\Triage\Output\Amcache"For a full incident, you almost always want more flags:
AmcacheParser.exe `
-f "C:\Triage\Windows\AppCompat\Programs\Amcache.hve" `
--csv "C:\Triage\Output\Amcache" `
--csvf "HOSTNAME_amcache.csv" `
-i `
--mp--csvfcontrols the base filename so multi-host triage stays navigable.-iincludesIsOSComponent = trueentries (off by default because they balloon the noise).--mp("multi-pass") parses orphaned / unassociated entries that would otherwise be dropped.
Full flag matrix: AmcacheParser CLI cheatsheet.
Loading the output in Timeline Explorer#
The CSVs are designed for Eric's Timeline Explorer. Drag any *_UnassociatedFileEntries.csv or *_AssociatedFileEntries.csv into Timeline Explorer and you get sortable, filterable columns and an instant "all activity in this window" view.
Reading the CSV output#
Different schema per category. The four you touch on nearly every case:
| File | What it contains |
|---|---|
*_UnassociatedFileEntries.csv |
Files Amcache saw on disk that are not tied to a registered Inventory Application. The richest pivot table for unknown binaries. |
*_AssociatedFileEntries.csv |
Files linked to an InventoryApplication (installed product). |
*_DriverBinaries.csv |
Loaded driver binaries. Critical for kernel-rootkit investigations. |
*_DeviceContainers.csv |
Connected device history (printers, monitors, removable media controllers). |
Columns you pivot on most often:
ApplicationName/Name. Display name Windows resolved.FullPath. Full path at inventory time.FileExtension..exe/.dllfiltering.Hash(SHA-1). TheFileIdminus the"0000"prefix.LinkDate. PE compile time.FileVersionString,ProductName,Publisher,PublisherName.Size. File size at inventory.IsPeFile,IsOsComponent. Quick filters.KeyLastWriteTimestamp. Registry-level last-write. Treat as the inventory-time pivot.
Every column, including less-common Inventory categories, is documented in AmcacheParser output columns explained.
Worked examples#
Unsigned PE in user-writable paths:
Import-Csv .\HOST_amcache_UnassociatedFileEntries.csv |
Where-Object {
$_.IsPeFile -eq 'True' -and
-not $_.Publisher -and
$_.FullPath -match '\\Users\\|\\ProgramData\\|\\AppData\\'
} |
Select KeyLastWriteTimestamp, FullPath, Hash, Size |
Sort-Object KeyLastWriteTimestampPivot on a known-bad SHA-1 across many hosts:
Get-ChildItem -Recurse -Filter *_UnassociatedFileEntries.csv |
ForEach-Object {
Import-Csv $_.FullName |
Where-Object { $_.Hash -eq 'da39a3ee5e6b4b0d3255bfef95601890afd80709' } |
Select @{n='Host';e={$_.PSChildName.Split('_')[0]}}, FullPath, KeyLastWriteTimestamp
}Where AmcacheParser fits in DFIR#
Most investigators reach for Amcache after Prefetch and event logs, because it answers a different question:
| Artefact | Answers |
|---|---|
| Prefetch | Did this binary execute on this host? |
| Event Log (4688 / Sysmon 1) | Did this process run, with what command line, from what parent? |
| Shimcache (AppCompatCache) | Was this binary touched by the loader recently? |
| Amcache | Has this binary ever been present on this host, with what hash and at what path? |
Amcache's killer feature is deleted-binary recall. A wiper can clear the file from disk, but the inventory snapshot persists in the hive until the next appraiser pass, and even then the previous run is often still in the transaction logs. We cover the Amcache-vs-Prefetch-vs-Shimcache distinction in depth in Understanding Amcache for Windows forensics.
Pipeline patterns#
Two production patterns:
- KAPE collect + KAPE parse. KAPE's
Amcachetarget collects the hive + logs. ItsAmcacheParsermodule runs the parser into a per-host output folder. One command, ready for Timeline Explorer. - Velociraptor
Windows.Forensics.Amcache. Velociraptor's artifact pulls the hive, runs AmcacheParser server-side, and uploads the CSV. Pair with a hunt to fan it across thousands of endpoints.
Both with copy-pastable commands in the CLI cheatsheet.
The browser alternative#
The tool on this site is a re-implementation of the read path in Rust + WebAssembly. It exists for situations where the Windows CLI is the wrong tool for the moment:
- A non-Windows analyst opens a
.hvein their browser without installing .NET or a Zimmerman build. - A student wants to see what Amcache looks like before paying for a full DFIR lab.
- Triaging on a locked-down host where deploying new binaries needs a change-control ticket.
- Showing a hive to a stakeholder over a screen-share without exposing it to a third-party server.
The file never leaves your browser. Parsing happens client-side in WebAssembly. No upload, no server-side processing, no telemetry. Drop a hive on the home page to try it.
For full investigations on a Windows analyst workstation, Eric's official AmcacheParser.exe remains the right tool. Every edge case, integration with the suite, and the CSV format every downstream tool expects. The browser version is for triage, education, and the cases where installing anything is the wrong answer.
Further reading#
- The AmcacheParser GitHub repository for source and release notes.
- Yogesh Khatri's Amcache.hve in Windows 8.
- Maxim Suhanov's posts on registry internals and Amcache evidentiary limits.
Related#
Related posts
- AmcacheParser output columns explained: every CSV field decoded
Field-by-field reference for AmcacheParser's CSV output. FileId, PathHash, ProgramId, LinkDate, BinFileVersion, IsPeFile, and every other column, with the pivots that matter.
- AmcacheParser download guide: official sources, mirrors, and verification
Where to get AmcacheParser. Get-ZimmermanTools, direct download, KAPE, Velociraptor. Plus checksum verification and the air-gapped install pattern.
- AmcacheParser CLI cheatsheet: every flag, with worked examples
Copy-paste reference for AmcacheParser.exe. Every flag explained. KAPE, Velociraptor, and PowerShell batch patterns you can use directly.
- Amcache parsers compared: AmcacheParser CLI, browser tool, Volatility, RegRipper
Four mature parsers for Amcache.hve. Same hive, different workflows. The decision rule comes down to install footprint, batchability, and where each one wins.