AmcacheParser output columns explained: every CSV field decoded
AmcacheParser writes one CSV per Inventory* category. Most analysts spend 90% of their time in two of those files (*_UnassociatedFileEntries.csv and *_AssociatedFileEntries.csv), but every column in every file is potentially useful. This is the reference for what each one means.
For the broader context on the tool, see the AmcacheParser complete guide.
The seven CSVs#
After a typical run with --csv .\out:
| File | Source key | Typical row count |
|---|---|---|
*_AssociatedFileEntries.csv |
Root\InventoryApplicationFile linked to an InventoryApplication |
Hundreds to low thousands |
*_UnassociatedFileEntries.csv |
Root\InventoryApplicationFile with no parent app |
Hundreds to thousands |
*_ProgramEntries.csv |
Root\Programs (legacy installed-software list) |
Low hundreds |
*_ShortcutEntries.csv |
Root\InventoryApplicationShortcut |
Tens |
*_DriverBinaries.csv |
Root\InventoryDriverBinary |
Hundreds |
*_DevicePnps.csv |
Root\InventoryDevicePnp |
Hundreds |
*_DeviceContainers.csv |
Root\InventoryDeviceContainer |
Tens |
The Unassociated file is what most analysts pivot on first. Ad-hoc downloaded binaries, attacker tooling, one-off scripts land there because they were never installed through a registered product.
File-entry columns (Associated / Unassociated)#
The two file-entry CSVs share the same schema. Columns you use on nearly every case.
Identity and path#
| Column | Meaning | Notes |
|---|---|---|
ApplicationName |
Display name resolved by Windows | Often blank for unassociated entries. |
ProgramId |
44-char Windows program identity | Pivot to Root\InventoryApplication to find the installed-product record. |
FileId |
"0000" + SHA-1 of the first 31 MiB |
Strip the prefix for VT / TI lookups. |
Hash |
Convenience copy of the SHA-1 without prefix | Use this column, not FileId, when joining against external hash feeds. |
Name |
File name only | kernel32.dll, mimikatz.exe, etc. |
FullPath |
Full path at inventory time | If it contains \Users\ or \AppData\ and Publisher is blank, look closely. |
Publisher |
Publisher from PE signature / resource | Empty for unsigned binaries. |
PublisherName |
Friendlier display name | Sometimes populated when Publisher is the X.509 CN. |
BinaryType |
Architecture (pe32, pe64, pe32_arm, ...) |
Useful when filtering for native vs managed PE. |
Timestamps#
Amcache is a goldmine of timestamps, but they mean different things. Get this distinction right or you misdate findings.
| Column | What it is | Don't confuse with |
|---|---|---|
KeyLastWriteTimestamp |
Registry last-write of the containing key | "When the file was inventoried". Closest thing to a real "Amcache time". |
LinkDate |
PE header TimeDateStamp set at compile/link time |
"When the file was created". Set by the compiler. Attacker-controlled. Frequently faked. |
BinFileVersion / ProductVersion |
Version strings from PE resource | Not timestamps. |
LastModified |
Some Amcache schemas expose a last-modified FILETIME | Not in every schema version. Treat as best-effort. |
The right "when" pivot for Amcache is KeyLastWriteTimestamp. LinkDate is fantastic for grouping binaries (everything the attacker compiled on the same day clusters together) but is not a "binary was placed on this host at this time" signal.
Version / metadata#
| Column | Meaning |
|---|---|
BinFileVersion |
PE VS_FIXEDFILEINFO.dwFileVersion |
BinProductVersion |
PE VS_FIXEDFILEINFO.dwProductVersion |
ProductName |
PE resource ProductName |
ProductVersion |
PE resource ProductVersion (string form) |
FileVersionString |
PE resource FileVersion |
Language |
PE resource language ID |
Size |
File size in bytes |
Flags#
| Column | Meaning | Default filter |
|---|---|---|
IsPeFile |
True if Amcache classified the file as PE | Filter to True when hunting executable artefacts. |
IsOsComponent |
True if the file belongs to Windows itself | Filter to False unless -i was passed. OS components are noisy. |
Lifecycle / inventory metadata#
| Column | Meaning |
|---|---|
Usn |
USN journal entry tied to the file at inventory time |
Description |
Free-form description, often from the PE resource |
LongPathHash |
Hash Amcache uses internally for path dedup |
MsiInstallDate |
When the parent MSI was installed (if any) |
MsiPackageCode |
MSI package GUID |
ProgramEntries.csv (legacy Programs key)#
The legacy Root\Programs key predates the Inventory* schema. Sparser. Columns most often used:
| Column | Meaning |
|---|---|
ProgramId |
Same 44-char identity used in file-entry CSVs |
LastWriteTimestamp |
Registry last-write of the entry |
Name |
Program display name |
Version |
Program version |
Publisher |
Publisher string |
InstallDate |
Install date (FILETIME → ISO-8601) |
LanguageCode |
LCID |
InstallSource |
Source path (CD, network share, downloads folder) |
UninstallString |
Command-line that would uninstall the program |
RootDirPath |
Install directory |
Source |
MSI, AddRemoveProgram, etc. |
InstallSource is the secret weapon here. Sometimes records the network share or download URL the installer was pulled from. Invaluable for supply-chain or social-engineering intrusions.
DriverBinaries.csv#
For kernel-mode artefacts. Columns:
| Column | Meaning |
|---|---|
KeyLastWriteTimestamp |
Inventory time |
DriverName |
Driver file name |
Inf |
Source .inf |
DriverVersion |
Driver version string |
Product |
Product name from the driver's PE resource |
ProductVersion |
Product version |
WdfVersion |
Windows Driver Framework version |
DriverCompany |
Company string |
DriverPackageStrongName |
Strong name |
Service |
Associated service name |
DriverSigned |
Whether the driver claimed to be signed |
DriverIsKernelMode |
True for kernel-mode drivers |
DriverType |
legacy, pnp, service, ... |
DriverTimeStamp |
PE link date of the driver |
Hash |
SHA-1 of the driver binary |
For BYOVD (Bring-Your-Own-Vulnerable-Driver), sort by DriverTimeStamp and look for old-but-signed drivers that appeared recently on the host.
DeviceContainers.csv#
Connected-device history. Most relevant columns:
| Column | Meaning |
|---|---|
KeyLastWriteTimestamp |
When the device record was last touched |
Categories |
Device categories (printer, display, network, ...) |
DiscoveryMethod |
How Windows enumerated the device |
FriendlyName |
"Brother HL-L2350DW", "Logitech BRIO", ... |
Manufacturer |
Vendor string |
ModelName / ModelNumber |
Model identifiers |
IsConnected |
Currently-connected flag at inventory |
IsPaired |
Paired (Bluetooth, etc.) |
Icon |
Path to the device icon resource |
Often the answer to "did device X ever connect to this host?" without wading through Setup logs.
DevicePnps.csv#
PnP enumeration records, one row per device interface:
| Column | Meaning |
|---|---|
KeyLastWriteTimestamp |
When the PnP record was last touched |
BusReportedDescription |
What the device told Windows it was |
DeviceClass |
Driver class GUID |
DeviceId / InstanceId |
PnP instance identifier |
Manufacturer |
Vendor string |
Service |
Driver service |
DriverName |
Driver file backing the device |
Pair InstanceId here with the matching row in DeviceContainers.csv to get user-facing name and technical IDs together.
ShortcutEntries.csv#
Each Start menu / pinned shortcut Windows knows about, with the corresponding ProgramId and inventory timestamp. Less used in incident response. Handy for "what did the user have pinned on $DATE" questions. Pair with LNK parser and jump list output for completeness.
Pivots that earn their keep#
Cross-column patterns that come up over and over.
- Hash everywhere. Take
Hashfrom*_UnassociatedFileEntries.csvand grep across*_AssociatedFileEntries.csv, the host's Prefetch CSV, and Sysmon1/7events. A binary in Amcache but never in Prefetch is "present but never executed". A very different finding from "executed". - Publisher blank + path under
\Users\. The single most productive triage filter on a typical commodity-malware investigation. - LinkDate clustering. Sort all unassociated PE entries by
LinkDateand look for tight clusters of 3-10 binaries with the same compile day. Often a single attacker tool drop. - InstallSource URLs in ProgramEntries. Whenever you see a suspicious program, check
InstallSource. Often points directly at the delivery vector. - KeyLastWriteTimestamp window join. Join all CSVs on a one-hour window around the suspected initial-access time and you get the full picture of what Windows inventoried during the intrusion.
Further reading#
- AmcacheParser release notes for schema additions across Windows builds.
- Yogesh Khatri's Amcache analysis.
Related#
Related posts
- AmcacheParser download guide: official sources, mirrors, and verification
Where to get AmcacheParser. Get-ZimmermanTools, direct download, KAPE, Velociraptor. Plus checksum verification and the air-gapped install pattern.
- AmcacheParser: the complete guide to Eric Zimmerman's tool
The reference for AmcacheParser. What it does, how to install and run it, how to read the CSVs, and when the browser parser is the better tool for the moment.
- AmcacheParser CLI cheatsheet: every flag, with worked examples
Copy-paste reference for AmcacheParser.exe. Every flag explained. KAPE, Velociraptor, and PowerShell batch patterns you can use directly.
- Amcache parsers compared: AmcacheParser CLI, browser tool, Volatility, RegRipper
Four mature parsers for Amcache.hve. Same hive, different workflows. The decision rule comes down to install footprint, batchability, and where each one wins.