What is the Compatibility Appraiser? (glossary)
The Microsoft Compatibility Appraiser is a Windows scheduled
task that periodically walks the system, inventories installed
and present software, gathers PE-header metadata for each PE file,
and writes the records into the Amcache.hve registry hive.
It is the only thing that writes to Amcache. If you understand the appraiser, you understand the cadence, coverage, and limits of every Amcache investigation.
Key facts#
- Scheduled task path:
\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser - Run cadence: ~24h on Windows 10/11 workstations; 2–5 days on Server; weekly or longer on Server Core.
- Trigger model: idle-time triggers plus time-based triggers with random delay. Power-aware — skips on battery.
- Output:
C:\Windows\AppCompat\Programs\Amcache.hve(plus.LOG1and.LOG2transaction logs). - Underlying purpose: Customer Experience Improvement Program (CEIP) telemetry. The local inventory exists because the appraiser had to know what to send Microsoft.
Forensic implications#
Two consequences matter for DFIR:
- Amcache lags reality. A binary dropped on a host may not appear in Amcache for up to ~24 h (workstation) or several days (server). For hour-precision first-seen, use Sysmon / Security 4688 / MFT instead.
- Disable the appraiser, freeze Amcache. Some hardened builds and high-security environments disable the appraiser (intentionally or via CEIP policy). On those hosts Amcache is frozen at the disablement time and is not a useful artefact for events afterwards.
Detecting tampering#
Signs the appraiser has been disabled:
- The scheduled task is disabled or has a stale
LastRunTime. Amcache.hve'sKeyLastWriteTimestampdistribution stops at some date with no newer entries on a host you expected newer activity from.HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection\AllowTelemetry = 0.
For the broader investigative context, see Amcache complete reference and Recovering deleted-binary evidence from Amcache.
Related terms#
- Amcache.hve — the hive the appraiser writes.
- InventoryApplicationFile — the headline key the appraiser populates.
- KeyLastWriteTimestamp — the appraiser-write timestamp.
To explore an Amcache hive without installing anything, drop it on the parser home page.
Related posts
- How often is Amcache updated?
The Compatibility Appraiser updates Amcache.hve roughly daily on Windows 10/11 workstations, every 2-5 days on servers, and weekly or longer on Server Core.
- What is Amcache ProgramId? (glossary)
ProgramId is the 44-character application-identity hash Amcache assigns to each logical application. The same ProgramId on different hosts means the same application install.
- What is LinkDate in Amcache? (glossary)
LinkDate is the PE header TimeDateStamp Amcache records — when the binary was compiled or linked, not when it appeared on the host.
- What is KeyLastWriteTimestamp in Amcache? (glossary)
KeyLastWriteTimestamp is the registry-level last-write time of an Amcache entry — the closest thing Amcache exposes to 'when the appraiser recorded this file'.