What is Root\InventoryApplicationFile? (glossary)

Root\InventoryApplicationFile is where Amcache analysis actually happens. One sub-key per PE the appraiser inventoried, with the metadata that turns a row in a CSV into a defensible finding. If you only learn one Amcache key, learn this one.

It is paired with Root\InventoryApplication (the installed-product catalogue) via ProgramId. The pairing is what splits AmcacheParser's output into the Associated and Unassociated CSVs, and the Unassociated CSV is where attacker tooling lives on most cases.

What you get per entry#

Value What it gives you
Name Filename only. mimikatz.exe, update.exe, that sort of thing.
LowerCaseLongPath Full path, lowercased.
FileId "0000" + SHA-1 of the first 31 MiB.
Size Bytes.
IsPeFile 1 if it's PE.
IsOsComponent 1 if Windows-shipped. Filter to 0 to cut noise.
Publisher / PublisherName Signing CN and friendly publisher string. Empty for unsigned.
Version, BinFileVersion, ProductVersion PE resource version strings.
ProductName PE resource ProductName.
LinkDate PE TimeDateStamp. Attacker-controlled.
Language PE resource LCID.
ProgramId 44-char application identity. Joins to InventoryApplication.
Usn USN journal entry at inventory time.

Plus the registry key's own LastWriteTimestamp, surfaced by AmcacheParser as KeyLastWriteTimestamp. That is the closest thing to "when did the appraiser write this entry" and the right pivot for almost every time-based question.

The triage filter that does most of the work#

IsPeFile = True
AND Publisher is empty
AND FullPath under \Users\, \AppData\, \ProgramData\, or \Temp\

Apply that to *_UnassociatedFileEntries.csv and you get a list small enough to read by hand. Most rows are either commodity malware or the user installed something portable. Both are quick to resolve.

For the full key-by-key tour, see Amcache registry structure.

Related posts

Back to all posts