What does FileId look like?

A 41-character string starting with '0000' followed by 40 hex characters, for example 0000da39a3ee5e6b4b0d3255bfef95601890afd80709.

Why does FileId start with 0000?

It is a historical type tag from early appraiser versions that anticipated multiple hash algorithms. In practice only SHA-1 was ever used, so the prefix is always '0000'.

Is FileId a real SHA-1 hash?

Yes — after stripping the '0000' prefix, the trailing 40 hex characters are a real SHA-1. But it hashes only the first 31 MiB of the file, not the whole file. For files under 31 MiB, the value equals the whole-file SHA-1; for larger files it is a prefix hash.

Should I include the 0000 prefix in VirusTotal lookups?

No. VirusTotal expects a 40-character SHA-1. Including the '0000' prefix returns an empty result that looks identical to 'unknown file' and is misleading. Use the AmcacheParser 'Hash' column, which already strips the prefix.

How do I compute the same hash for verification?

Read the first 31 MiB (31 * 1024 * 1024 bytes) of the file and compute its SHA-1. For files smaller than 31 MiB this equals the whole-file SHA-1.

What is Amcache FileId? (glossary)

FileId is the 41-character content identifier Amcache stores for each inventoried PE file. It is "0000" followed by the SHA-1 hex of the first 31 MiB of the file as the appraiser saw it. The leading "0000" is a fixed type tag; the rest is a genuine SHA-1.

A typical value:

0000da39a3ee5e6b4b0d3255bfef95601890afd80709

It is one of the single most useful fields in Amcache — directly usable for VirusTotal lookups, TI-feed enrichment, and cross-host hash pivots — but it carries two traps that catch new analysts constantly.

Trap 1: don't include the `0000` prefix in external lookups#

VirusTotal, your TI feed, and your hash-allowlist database all expect a 40-character SHA-1. Including the 0000 prefix returns no match silently, which looks identical to "this hash is unknown" and produces wrong investigative conclusions.

AmcacheParser's CSV exposes both forms:

Column	Value
`FileId`	The full `"0000"` + SHA-1 string.
`Hash`	Just the 40 hex characters. Use this for lookups.

Trap 2: it's a prefix hash, not a whole-file hash#

The SHA-1 covers only the first 31 MiB of the file. For most PE binaries this is irrelevant (almost everything is smaller). For large installers, game binaries, and some enterprise software, the Amcache hash will not match a whole-file SHA-1.

To recompute the same hash for verification:

import hashlib
def amcache_sha1(path):
    h = hashlib.sha1()
    with open(path, 'rb') as f:
        h.update(f.read(31 * 1024 * 1024))
    return h.hexdigest()

Where it's used#

VirusTotal lookups — pivot from a single suspicious row to a malicious-or-not verdict.
Cross-host hash hunting — find every other host in your environment with the same binary. See Lateral movement and Amcache ProgramId pivoting.
Sysmon correlation — Sysmon Event ID 7 (Image Loaded) records SHA-1; join Amcache Hash to Sysmon 7 for which processes loaded a given DLL.

For the full FileId reference, see Amcache FileId explained.

Amcache.hve — the hive that holds FileId values.
ProgramId — the other unique identifier in InventoryApplicationFile.
InventoryApplicationFile — the registry key where FileId values live.

What is Amcache FileId? (glossary)

Trap 1: don't include the 0000 prefix in external lookups#

Trap 2: it's a prefix hash, not a whole-file hash#

Where it's used#

Related terms#

Related posts

Trap 1: don't include the `0000` prefix in external lookups#