What is Amcache.hve? (glossary)
Amcache.hve is a Windows registry hive that records every PE
binary the Microsoft Compatibility Appraiser has inventoried on
the host. Each inventory entry includes the file's full path, a
SHA-1 hash of the first ~31 MiB, the PE link date, publisher,
version, and a timestamp for when the appraiser recorded the entry.
It is one of the four foundational Windows DFIR artefacts — alongside Prefetch, ShimCache, and the Security event log — and the single best source for post-deletion evidence of which binaries were present on a host.
At a glance#
- Path:
C:\Windows\AppCompat\Programs\Amcache.hve - Companion files:
Amcache.hve.LOG1,Amcache.hve.LOG2(transaction logs — always collect alongside the hive) - Format: standard Windows registry hive (same as
SYSTEM,SOFTWARE) - Populated by: the Compatibility Appraiser scheduled task
- Update cadence: roughly daily on Windows 10 / 11 workstations
- Retention: months to years on long-lived hosts
- Records: PE files (EXE, DLL), drivers, devices, applications
Why analysts care#
Amcache survives the binaries it records. A wiper can delete a file from disk; the inventory snapshot — including the file's hash, path, and metadata — typically persists in the hive long afterwards. That makes Amcache the most reliable Windows artefact for answering "was this binary ever present on this host?" when the binary itself is gone.
For the broader artefact reference, see the Amcache complete reference; for the file's path and collection workflow, see Where Amcache.hve is on disk; for the registry structure inside the hive, see Amcache registry structure.
Related terms#
- Compatibility Appraiser — the scheduled task that populates Amcache.
- InventoryApplicationFile — the headline registry key inside Amcache.
- FileId — the SHA-1-based content identifier each entry carries.
- ShimCache and Prefetch — neighbouring artefacts in the Windows execution-evidence stack.
To explore an Amcache.hve file in your browser without
installing anything, drop it on the parser home page.
Related posts
- What is Amcache ProgramId? (glossary)
ProgramId is the 44-character application-identity hash Amcache assigns to each logical application. The same ProgramId on different hosts means the same application install.
- What is LinkDate in Amcache? (glossary)
LinkDate is the PE header TimeDateStamp Amcache records — when the binary was compiled or linked, not when it appeared on the host.
- What is KeyLastWriteTimestamp in Amcache? (glossary)
KeyLastWriteTimestamp is the registry-level last-write time of an Amcache entry — the closest thing Amcache exposes to 'when the appraiser recorded this file'.
- What is Root\InventoryApplicationFile? (glossary)
InventoryApplicationFile is the headline Amcache registry key — one sub-key per PE binary inventoried by the appraiser, with path, SHA-1, publisher, link date, and timestamps.