What is Amcache FileId? (glossary)
FileId is "0000" followed by the SHA-1 of the first 31 MiB of the file. Forty-one characters. Lives in Root\InventoryApplicationFile. One of the most useful single fields the Compatibility Appraiser ever wrote, and the one that catches new analysts more often than any other.
0000da39a3ee5e6b4b0d3255bfef95601890afd80709
Two traps#
The prefix is a trap#
VirusTotal, threat intel feeds, and your internal allowlist all want a 40-character hex SHA-1. They will not match anything if you include "0000". They will also not tell you that. The response looks identical to "we have never seen this file". Strip the prefix.
AmcacheParser handles this for you by splitting the column into FileId (with prefix) and Hash (without). Use Hash.
The 31 MiB cutoff is a trap#
The hash covers only the first 31 MiB of the file. For most PE binaries this is irrelevant because almost everything is smaller. For large installers, fat game binaries, and a fair amount of enterprise software, the Amcache value will not match a whole-file SHA-1. If VirusTotal returns no hits on a 200 MB installer, try hashing the first 31 MiB and searching that, or hash the full file and search the result. Often the two coexist in VT's index because both have been submitted at some point.
To compute the same value:
import hashlib
def amcache_sha1(path):
h = hashlib.sha1()
with open(path, 'rb') as f:
h.update(f.read(31 * 1024 * 1024))
return h.hexdigest()Where it earns its keep#
- VirusTotal triage on every suspicious row.
- Cross-host hash hunts to scope spread (see Lateral movement and Amcache ProgramId pivoting).
- Sysmon
7(Image Loaded) joins. Sysmon records the SHA-1 of every DLL load. MatchHashto Sysmon'sHashesand you have "which process loaded the attacker DLL, and when".
For the long-form reference, see Amcache FileId explained.
Related terms#
Related posts
- What is Amcache ProgramId? (glossary)
ProgramId is the 44-character application-identity hash Amcache stores. Stable across hosts for the same install. Catches re-compiles and renames where Hash misses.
- What is LinkDate in Amcache? (glossary)
LinkDate is the PE TimeDateStamp. Attacker-controllable. Use it for build clustering, not for host timelines.
- What is KeyLastWriteTimestamp in Amcache? (glossary)
The registry write time of the Amcache key. Closest thing to 'when the appraiser recorded this'. The single field new analysts most often confuse with LinkDate.
- What is Root\InventoryApplicationFile? (glossary)
The principal Amcache key. One sub-key per PE the appraiser inventoried, with hash, path, publisher, link date, and a registry write time. Where 90% of analyst time goes.