When was InventoryApplicationFile introduced?

Windows 10 build 1709 (Fall Creators Update, October 2017). Earlier Windows versions used the legacy Root\Programs and Root\File schema instead.

What values does each InventoryApplicationFile sub-key hold?

Name, LowerCaseLongPath, FileId (SHA-1), Size, IsPeFile, IsOsComponent, Publisher, Version, BinFileVersion, BinProductVersion, ProductName, ProductVersion, LinkDate, Language, Usn, ProgramId, and the registry-level KeyLastWriteTimestamp.

What's the difference between Associated and Unassociated entries?

Associated entries are linked to a parent InventoryApplication record via ProgramId — typically installed products. Unassociated entries have no matching application record, which is where ad-hoc downloaded binaries, attacker tooling, and one-off scripts typically appear.

How many InventoryApplicationFile entries are typical?

Hundreds to thousands on a typical Windows 10/11 workstation. Servers tend to have hundreds; developer workstations can exceed 10,000.

Does InventoryApplicationFile record DLLs?

Yes on modern schemas (Windows 10 1709+). It records both EXEs and DLLs that the appraiser classifies as PE files.

What is Root\InventoryApplicationFile? (glossary)

Root\InventoryApplicationFile is the principal registry key inside Amcache.hve. It contains one sub-key per PE binary the Compatibility Appraiser has inventoried, with rich metadata per entry: full path, SHA-1, publisher, version, link date, and inventory timestamp.

This is the key DFIR analysts spend 90% of their Amcache time in. Together with Root\InventoryApplication, it answers the canonical Amcache question: "was this binary ever present on this host, and what is it?"

Notable values per entry#

Value	Meaning
`Name`	File name only (e.g. `mimikatz.exe`).
`LowerCaseLongPath`	Full path, lowercased.
`FileId`	`"0000"` + SHA-1 hex of the first 31 MiB.
`Size`	File size in bytes.
`IsPeFile`	`1` if the file is a PE.
`IsOsComponent`	`1` if part of Windows itself.
`Publisher` / `PublisherName`	Publisher strings.
`Version` / `BinFileVersion` / `ProductVersion`	Version strings.
`ProductName`	PE resource ProductName.
`LinkDate`	PE `TimeDateStamp`.
`Language`	PE resource language ID.
`ProgramId`	44-char application-identity hash.
`Usn`	USN journal entry at inventory time.

Plus the registry-level KeyLastWriteTimestamp (not a value; the registry key's own last-write metadata) — which is the closest thing Amcache exposes to "when did the appraiser record this?".

Why analysts care#

InventoryApplicationFile is the single richest Windows source for post-deletion file evidence. A wiper can remove the file from disk; the entry persists in the hive for months. The combination of hash + path + publisher + inventory time is enough to identify a binary, verify it against VirusTotal, and bound when it appeared on the host — all without the binary itself.

Triage filter#

The standard "is this suspicious?" filter applied to the AmcacheParser CSV of this key:

IsPeFile = True
AND Publisher is empty
AND FullPath is under \Users\, \AppData\, \ProgramData\, or \Temp\

That single filter surfaces the vast majority of commodity-malware artefacts on a typical infected host.

For the full registry-structure tour, see Amcache registry structure.

Amcache.hve — the hive.
FileId — the content hash per entry.
ProgramId — the application identity per entry.
KeyLastWriteTimestamp — the inventory-time pivot.
LinkDate — the PE compile-time field.

What is Root\InventoryApplicationFile? (glossary)

Notable values per entry#

Why analysts care#

Triage filter#

Related terms#

Related posts