Can Amcache be cleared by attackers?

Yes, with admin rights, an attacker can delete Amcache.hve, edit it, or stop the Compatibility Appraiser from writing to it. No, none of those options are quiet. Three independent sources usually preserve the prior state:

  1. Volume Shadow Copies, which take point-in-time volume snapshots and each carry their own copy of Amcache.hve. Retention varies from days to weeks.
  2. Registry transaction logs (Amcache.hve.LOG1 and Amcache.hve.LOG2) that may hold recent writes the attacker did not think to remove.
  3. Recreation-time signatures. A hive that was deleted and rebuilt by the next appraiser pass has a KeyLastWriteTimestamp distribution that starts abruptly at the recreation date and reaches back nowhere, which on a long-running host is a dead giveaway.

Recovering ~30% of "deleted" entries from .LOG1 and .LOG2 is normal on cases where the attacker deleted keys but did not clear the logs. Recovering more from shadow copies is also normal.

The three approaches, in increasing subtlety#

Wholesale deletion#

The blunt instrument. The attacker kills compattelrunner.exe and the registry process (or queues a Pending File Rename), then removes the file. The next appraiser pass recreates the hive empty. Trivial to detect on any host where the hive should be substantial.

Targeted key deletion#

Load the hive offline (or in place if you can hold the lock), reg delete the specific InventoryApplicationFile\<id> sub-keys you want gone. More subtle. But:

  • The parent key's LastWrite advances. So the row above moves while the row itself disappears, which on a sorted dump looks odd.
  • The transaction logs frequently still hold the original record. Replay them and you get the entry back.
  • Volume Shadow Copies hold yesterday's hive untouched. Diff against it.

Disable the appraiser#

The sneakiest option. The hive isn't modified. New entries just stop arriving. You can:

HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection
  AllowTelemetry = REG_DWORD 0

Or disable \Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser in Task Scheduler. The hive freezes. A defender who doesn't specifically check the appraiser's LastRunTime and the KeyLastWriteTimestamp distribution may completely miss it.

How to detect it#

  1. Parse the live Amcache.hve and capture the KeyLastWriteTimestamp distribution. Earliest, latest, density per week.
  2. Enumerate Volume Shadow Copies (vssadmin list shadows) and parse each shadow's copy of the hive. Diff against live.
  3. Check the scheduled task: Get-ScheduledTask, look at LastRunTime, State, history in Microsoft-Windows-TaskScheduler%4Operational.evtx (your EVTX parser of choice).
  4. Check GPO and HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection\AllowTelemetry.

A live hive whose KeyLastWriteTimestamp distribution dies on a Tuesday a few months ago, on a host you know has been busy since, is a strong tampering signal. Diff against shadows to confirm what is missing.

For the full anti-forensics workflow, see Recovering deleted-binary evidence from Amcache.

How often does this come up#

Rarely. Commodity malware never bothers. Most APT operators don't either, because the artefact is unfamiliar and cleaning it correctly takes more Windows-internals knowledge than most have. When you do see signs of Amcache tampering, treat it as a sophistication signal and pay closer attention to neighbouring artefacts (Shimcache, Sysmon, EDR) for similar moves.

Further reading#

  • Maxim Suhanov's writeups on registry tampering and recovery from .LOG files.
  • MITRE ATT&CK T1070.009 Clear Persistence for the broader anti-forensics context.

Related posts

  • Why is my Amcache.hve empty?

    Three causes in order of frequency: appraiser disabled, host freshly imaged, or you're on a Server where the cadence is naturally slow. Tampering is a distant fourth.

  • Where is the Amcache registry key?

    Amcache is its own hive file, not a key under HKLM. Loaded on demand by the appraiser. Mounts at HKLM\Amcache when active.

  • What does Amcache.hve contain?

    Inventory records for every PE, driver, application, and connected device the Compatibility Appraiser has seen. SHA-1, full path, publisher, and timestamps per entry.

  • What's a .pf file vs an Amcache entry?

    .pf is execution proof with run times. Amcache is presence with hash and metadata. Same binary in both, only one, or neither, and which combination it is matters.

Back to all posts