What is Amcache FileId? (glossary)

FileId is "0000" followed by the SHA-1 of the first 31 MiB of the file. Forty-one characters. Lives in Root\InventoryApplicationFile. One of the most useful single fields the Compatibility Appraiser ever wrote, and the one that catches new analysts more often than any other.

0000da39a3ee5e6b4b0d3255bfef95601890afd80709

Two traps#

The prefix is a trap#

VirusTotal, threat intel feeds, and your internal allowlist all want a 40-character hex SHA-1. They will not match anything if you include "0000". They will also not tell you that. The response looks identical to "we have never seen this file". Strip the prefix.

AmcacheParser handles this for you by splitting the column into FileId (with prefix) and Hash (without). Use Hash.

The 31 MiB cutoff is a trap#

The hash covers only the first 31 MiB of the file. For most PE binaries this is irrelevant because almost everything is smaller. For large installers, fat game binaries, and a fair amount of enterprise software, the Amcache value will not match a whole-file SHA-1. If VirusTotal returns no hits on a 200 MB installer, try hashing the first 31 MiB and searching that, or hash the full file and search the result. Often the two coexist in VT's index because both have been submitted at some point.

To compute the same value:

import hashlib
def amcache_sha1(path):
    h = hashlib.sha1()
    with open(path, 'rb') as f:
        h.update(f.read(31 * 1024 * 1024))
    return h.hexdigest()

Where it earns its keep#

  • VirusTotal triage on every suspicious row.
  • Cross-host hash hunts to scope spread (see Lateral movement and Amcache ProgramId pivoting).
  • Sysmon 7 (Image Loaded) joins. Sysmon records the SHA-1 of every DLL load. Match Hash to Sysmon's Hashes and you have "which process loaded the attacker DLL, and when".

For the long-form reference, see Amcache FileId explained.

Related posts

Back to all posts