Can Amcache be cleared by attackers?
Yes, with admin rights, an attacker can delete Amcache.hve, edit it, or stop the Compatibility Appraiser from writing to it. No, none of those options are quiet. Three independent sources usually preserve the prior state:
- Volume Shadow Copies, which take point-in-time volume snapshots and each carry their own copy of
Amcache.hve. Retention varies from days to weeks. - Registry transaction logs (
Amcache.hve.LOG1andAmcache.hve.LOG2) that may hold recent writes the attacker did not think to remove. - Recreation-time signatures. A hive that was deleted and rebuilt by the next appraiser pass has a
KeyLastWriteTimestampdistribution that starts abruptly at the recreation date and reaches back nowhere, which on a long-running host is a dead giveaway.
Recovering ~30% of "deleted" entries from .LOG1 and .LOG2 is normal on cases where the attacker deleted keys but did not clear the logs. Recovering more from shadow copies is also normal.
The three approaches, in increasing subtlety#
Wholesale deletion#
The blunt instrument. The attacker kills compattelrunner.exe and the registry process (or queues a Pending File Rename), then removes the file. The next appraiser pass recreates the hive empty. Trivial to detect on any host where the hive should be substantial.
Targeted key deletion#
Load the hive offline (or in place if you can hold the lock), reg delete the specific InventoryApplicationFile\<id> sub-keys you want gone. More subtle. But:
- The parent key's
LastWriteadvances. So the row above moves while the row itself disappears, which on a sorted dump looks odd. - The transaction logs frequently still hold the original record. Replay them and you get the entry back.
- Volume Shadow Copies hold yesterday's hive untouched. Diff against it.
Disable the appraiser#
The sneakiest option. The hive isn't modified. New entries just stop arriving. You can:
HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection
AllowTelemetry = REG_DWORD 0
Or disable \Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser in Task Scheduler. The hive freezes. A defender who doesn't specifically check the appraiser's LastRunTime and the KeyLastWriteTimestamp distribution may completely miss it.
How to detect it#
- Parse the live
Amcache.hveand capture theKeyLastWriteTimestampdistribution. Earliest, latest, density per week. - Enumerate Volume Shadow Copies (
vssadmin list shadows) and parse each shadow's copy of the hive. Diff against live. - Check the scheduled task:
Get-ScheduledTask, look atLastRunTime,State, history inMicrosoft-Windows-TaskScheduler%4Operational.evtx(your EVTX parser of choice). - Check GPO and
HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection\AllowTelemetry.
A live hive whose KeyLastWriteTimestamp distribution dies on a Tuesday a few months ago, on a host you know has been busy since, is a strong tampering signal. Diff against shadows to confirm what is missing.
For the full anti-forensics workflow, see Recovering deleted-binary evidence from Amcache.
How often does this come up#
Rarely. Commodity malware never bothers. Most APT operators don't either, because the artefact is unfamiliar and cleaning it correctly takes more Windows-internals knowledge than most have. When you do see signs of Amcache tampering, treat it as a sophistication signal and pay closer attention to neighbouring artefacts (Shimcache, Sysmon, EDR) for similar moves.
Further reading#
- Maxim Suhanov's writeups on registry tampering and recovery from
.LOGfiles. - MITRE ATT&CK T1070.009 Clear Persistence for the broader anti-forensics context.
Related posts
- Why is my Amcache.hve empty?
Three causes in order of frequency: appraiser disabled, host freshly imaged, or you're on a Server where the cadence is naturally slow. Tampering is a distant fourth.
- Where is the Amcache registry key?
Amcache is its own hive file, not a key under HKLM. Loaded on demand by the appraiser. Mounts at HKLM\Amcache when active.
- What does Amcache.hve contain?
Inventory records for every PE, driver, application, and connected device the Compatibility Appraiser has seen. SHA-1, full path, publisher, and timestamps per entry.
- What's a .pf file vs an Amcache entry?
.pf is execution proof with run times. Amcache is presence with hash and metadata. Same binary in both, only one, or neither, and which combination it is matters.