AmcacheParser output columns explained: every CSV field decoded
AmcacheParser writes a different CSV per Inventory* category. Most
analysts spend 90% of their time in two of those files —
*_UnassociatedFileEntries.csv and *_AssociatedFileEntries.csv —
but every column in every file is potentially useful. This is the
reference for what each one means.
For the broader context on the tool, see the AmcacheParser complete guide.
The seven CSV files#
After a typical run with --csv .\out, you will see:
| File | Source key | Typical row count |
|---|---|---|
*_AssociatedFileEntries.csv |
Root\InventoryApplicationFile linked to an InventoryApplication |
hundreds to low thousands |
*_UnassociatedFileEntries.csv |
Root\InventoryApplicationFile with no parent app |
hundreds to thousands |
*_ProgramEntries.csv |
Root\Programs (legacy installed-software list) |
low hundreds |
*_ShortcutEntries.csv |
Root\InventoryApplicationShortcut |
tens |
*_DriverBinaries.csv |
Root\InventoryDriverBinary |
hundreds |
*_DevicePnps.csv |
Root\InventoryDevicePnp |
hundreds |
*_DeviceContainers.csv |
Root\InventoryDeviceContainer |
tens |
The Unassociated file is the one most analysts pivot on first: it is
where ad-hoc downloaded binaries, attacker tooling, and one-off scripts
typically land, because they were never installed through a registered
product.
File-entry columns (Associated / Unassociated)#
The two file-entry CSVs share the same schema. Columns you will use on nearly every case:
Identity & path#
| Column | Meaning | Notes |
|---|---|---|
ApplicationName |
Display name resolved by Windows | Often blank for unassociated entries. |
ProgramId |
44-char Windows program-identity hash | Pivot to Root\InventoryApplication to find the installed-product record. |
FileId |
"0000" + SHA-1 hex of the first 31 MiB of the file |
Strip the 0000 prefix to get a SHA-1 you can submit to VirusTotal / TI feeds. |
Hash |
Convenience copy of the SHA-1 without the prefix | Use this column, not FileId, when joining against external hash feeds. |
Name |
File name only | kernel32.dll, mimikatz.exe, etc. |
FullPath |
Full path at inventory time | If the path contains \Users\ or \AppData\ and Publisher is blank, look closely. |
Publisher |
Publisher string from the PE signature / resource | Empty for unsigned binaries. |
PublisherName |
Friendlier publisher display name | Sometimes populated when Publisher is the X.509 CN. |
BinaryType |
Architecture / kind (pe32, pe64, pe32_arm, ...) |
Useful when filtering for native vs managed PE. |
Timestamps#
Amcache is a goldmine of timestamps, but they mean different things. Get this distinction right or you will misdate findings.
| Column | What it is | Don't confuse it with |
|---|---|---|
KeyLastWriteTimestamp |
Registry last-write of the containing key | "When the file was inventoried." Closest thing to a real "Amcache time." |
LinkDate |
PE header TimeDateStamp set at compile/link time |
"When the file was created" — it is set by the compiler, attacker-controlled, and frequently faked. |
BinFileVersion / ProductVersion |
Version strings from the PE resource | These are not timestamps. |
LastModified |
Some Amcache schemas expose a last-modified FILETIME | Not present in every schema version; treat as best-effort. |
The right "when" pivot for Amcache is KeyLastWriteTimestamp.
LinkDate is fantastic for grouping binaries (all the binaries the
attacker compiled on the same day cluster together) but it is not a
"this binary was placed on this host at this time" signal.
Version / metadata#
| Column | Meaning |
|---|---|
BinFileVersion |
PE VS_FIXEDFILEINFO.dwFileVersion |
BinProductVersion |
PE VS_FIXEDFILEINFO.dwProductVersion |
ProductName |
PE resource ProductName |
ProductVersion |
PE resource ProductVersion (string form) |
FileVersionString |
PE resource FileVersion |
Language |
PE resource language ID |
Size |
File size in bytes |
Flags#
| Column | Meaning | Default filter |
|---|---|---|
IsPeFile |
True if Amcache classified the file as a PE | Filter to True when hunting for executable artefacts. |
IsOsComponent |
True if the file belongs to Windows itself | Filter to False unless -i was passed; OS components are noisy. |
Lifecycle / inventory metadata#
| Column | Meaning |
|---|---|
Usn |
USN journal entry associated with the file at inventory time |
Description |
Free-form description, often from the PE resource |
LongPathHash |
Hash Amcache uses internally for path deduplication |
MsiInstallDate |
When the parent MSI was installed (if any) |
MsiPackageCode |
MSI package GUID |
ProgramEntries.csv (legacy Programs key)#
The legacy Root\Programs key predates the Inventory* schema and is
sparser. The columns most often used:
| Column | Meaning |
|---|---|
ProgramId |
Same 44-char identity used in file-entry CSVs |
LastWriteTimestamp |
Registry last-write of the entry |
Name |
Program display name |
Version |
Program version |
Publisher |
Publisher string |
InstallDate |
Install date (FILETIME → ISO-8601) |
LanguageCode |
LCID |
InstallSource |
Source path (CD, network share, downloads folder) |
UninstallString |
Command-line that would uninstall the program |
RootDirPath |
Install directory |
Source |
MSI, AddRemoveProgram, etc. |
InstallSource is the secret weapon here: it sometimes records the
network share or download URL the installer was pulled from, which
is invaluable when investigating supply-chain or social-engineering
intrusions.
DriverBinaries.csv#
For kernel-mode artefacts. Columns:
| Column | Meaning |
|---|---|
KeyLastWriteTimestamp |
Inventory time |
DriverName |
Driver file name |
Inf |
Source .inf |
DriverVersion |
Driver version string |
Product |
Product name from the driver's PE resource |
ProductVersion |
Product version |
WdfVersion |
Windows Driver Framework version, if applicable |
DriverCompany |
Company string |
DriverPackageStrongName |
Strong name |
Service |
Associated service name |
DriverSigned |
Whether the driver claimed to be signed |
DriverIsKernelMode |
True for kernel-mode drivers |
DriverType |
legacy, pnp, service, ... |
DriverTimeStamp |
PE link date of the driver |
Hash |
SHA-1 of the driver binary |
For BYOVD (bring-your-own-vulnerable-driver) investigations, sort by
DriverTimeStamp and look for old-but-signed drivers that appeared
recently on the host.
DeviceContainers.csv#
Connected-device history. Most relevant columns:
| Column | Meaning |
|---|---|
KeyLastWriteTimestamp |
When the device record was last touched |
Categories |
Device categories (printer, display, network, ...) |
DiscoveryMethod |
How Windows enumerated the device |
FriendlyName |
"Brother HL-L2350DW", "Logitech BRIO", ... |
Manufacturer |
Vendor string |
ModelName / ModelNumber |
Model identifiers |
IsConnected |
Currently-connected flag at inventory |
IsPaired |
Paired (Bluetooth, etc.) |
Icon |
Path to the device icon resource |
This file is often the answer to "did device X ever connect to this host?" without having to wade through Setup logs.
DevicePnps.csv#
PnP enumeration records — one row per device interface. The columns most useful in DFIR:
| Column | Meaning |
|---|---|
KeyLastWriteTimestamp |
When the PnP record was last touched |
BusReportedDescription |
What the device told Windows it was |
DeviceClass |
Driver class GUID |
DeviceId / InstanceId |
PnP instance identifier |
Manufacturer |
Vendor string |
Service |
Driver service |
DriverName |
Driver file backing the device |
Pair InstanceId here with the matching row in DeviceContainers.csv
to get both the user-facing name and the technical IDs.
ShortcutEntries.csv#
Each Start-menu / Pinned shortcut Windows knows about, with the
corresponding ProgramId and inventory timestamp. Less often used for
incident response, but handy for "what did the user have pinned on
$DATE" questions.
Pivots that earn their keep#
A few cross-column patterns that come up over and over:
-
Hash everywhere. Take
Hashfrom*_UnassociatedFileEntries.csvand grep it across*_AssociatedFileEntries.csv, the host's Prefetch CSV, and Sysmon1/7events. A binary that shows up in Amcache but never in Prefetch is "present but never executed" — a very different finding from "executed." -
Publisherblank + path under\Users\. This is the single most productive triage filter on a typical commodity-malware investigation. -
LinkDateclustering. Sort all unassociated PE entries byLinkDateand look for tight clusters of 3–10 binaries with the same compile day. That is often a single attacker tool drop. -
InstallSourceURLs inProgramEntries. Whenever you see a suspicious program, check itsInstallSource— it often points directly at the delivery vector. -
KeyLastWriteTimestampwindow join. Join all CSVs on a one-hour window around the suspected initial-access time and you get the full picture of what Windows inventoried during the intrusion.
See also#
- AmcacheParser complete guide — the canonical reference for the tool.
- AmcacheParser CLI cheatsheet — the flags that produce these CSVs.
- AmcacheParser download guide — where to get the tool.
- Understanding Amcache for Windows forensics — what the hive records and why it matters.
Want to see these columns on your own hive without installing anything? Drop the file on the parser home page — it parses entirely in your browser.
Related posts
- AmcacheParser download guide: official sources, mirrors, and verification
Every way to download Eric Zimmerman's AmcacheParser — Get-ZimmermanTools, direct download, KAPE, Velociraptor — with checksum verification and air-gapped install patterns.
- AmcacheParser: the complete guide to Eric Zimmerman's tool
A definitive guide to AmcacheParser — what it does, how to install and run Eric Zimmerman's CLI, how to read its CSV output, and when to reach for the browser-based alternative.
- AmcacheParser CLI cheatsheet: every flag, with worked examples
A practical command-line reference for Eric Zimmerman's AmcacheParser — every flag explained, with KAPE, Velociraptor, and PowerShell batch-processing patterns you can copy and paste.
- Amcache parsers compared: AmcacheParser CLI, browser tool, Volatility, RegRipper
Side-by-side comparison of the four ways to parse a Windows Amcache.hve hive in 2026 — Eric Zimmerman's AmcacheParser CLI, the browser tool, Volatility 3, and RegRipper.