What is the Compatibility Appraiser? (glossary)
The Compatibility Appraiser is the scheduled task that writes Amcache. Nothing else does. If you understand the appraiser, you understand the cadence, coverage, and limits of every investigation you build on Amcache. If you don't, you will eventually date a finding by the wrong day and regret it.
What you need to know#
- Task path:
\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser. - Cadence: ~24h on Windows 10/11 workstations. 2-5 days on Server with Desktop Experience. A week or more on Server Core. Skips on battery. Random delay on the time trigger.
- Output:
C:\Windows\AppCompat\Programs\Amcache.hveplus.LOG1and.LOG2. - Origin: Customer Experience Improvement Program. The local hive is the staging area for telemetry that goes to Microsoft. It just happens to be ideal for DFIR.
Two things this means for your investigation#
First, Amcache lags reality. A binary dropped on a workstation can be invisible to Amcache for up to a day. On a server, up to a week. If you need sub-hour first-seen precision, you are looking at the wrong artefact. Use Sysmon 1 / 11, Security 4688, or the MFT and USN journal instead.
Second, the appraiser is targetable. Hardened builds, telemetry-blocking GPOs, and a handful of attacker scripts will turn it off. The hive does not vanish. It freezes. A hive whose KeyLastWriteTimestamp density falls off a cliff three months before an incident is telling you the appraiser stopped, not that nothing happened.
Signs it has been switched off#
- Scheduled task state is
Disabled, or itsLastRunTimematches the host's install date. KeyLastWriteTimestampdistribution dies abruptly on a host you know has been busy since.HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection\AllowTelemetry = 0.Microsoft-Windows-Application-Experienceevent log goes quiet around the same date.
For the long-form context, see the Amcache complete reference and Recovering deleted-binary evidence from Amcache.
Related terms#
Related posts
- How often is Amcache updated?
Roughly daily on Windows 10/11 workstations. Every 2-5 days on Servers. Weeks on Server Core. Amcache lags reality. Plan timelines around that.
- What is Amcache ProgramId? (glossary)
ProgramId is the 44-character application-identity hash Amcache stores. Stable across hosts for the same install. Catches re-compiles and renames where Hash misses.
- What is LinkDate in Amcache? (glossary)
LinkDate is the PE TimeDateStamp. Attacker-controllable. Use it for build clustering, not for host timelines.
- What is KeyLastWriteTimestamp in Amcache? (glossary)
The registry write time of the Amcache key. Closest thing to 'when the appraiser recorded this'. The single field new analysts most often confuse with LinkDate.