What is Amcache.hve? (glossary)

Amcache.hve is the registry hive Windows writes every PE the Compatibility Appraiser inventories into. SHA-1 of the first 31 MiB, full path, publisher, link date, and the key's last-write time. One file per host. That's it.

It is one of four artefacts every Windows IR person learns first, alongside Prefetch, Shimcache, and the Security event log. It is also the one that most reliably survives the binary it records, which is why it ends up in nearly every report.

The essentials#

  • Path: C:\Windows\AppCompat\Programs\Amcache.hve
  • Transaction logs: Amcache.hve.LOG1, Amcache.hve.LOG2. Take them. Both. Every time.
  • Format: standard registry hive (regf). The same parsers that read SYSTEM read this.
  • Writer: the Compatibility Appraiser scheduled task.
  • Cadence: roughly daily on Windows 10/11, slower on Server, weeks on hardened Server Core.
  • Retention: long. Multi-year on workstations that have been running a while.
  • Coverage: PE files (EXE, DLL), drivers, devices, installed applications.

Why it matters#

The hive outlives the binaries it records. An attacker who wipes a tool from disk leaves the path, hash, publisher, and inventory time sitting in the hive, often for months. The single richest piece of forensic luck Microsoft has handed defenders.

For the long-form reference, see the Amcache complete reference. For where the file lives and how to grab it, see Where Amcache.hve is on disk. For the inside of the hive, see Amcache registry structure.

Related posts

Back to all posts