What is Root\InventoryApplicationFile? (glossary)
Root\InventoryApplicationFile is where Amcache analysis actually happens. One sub-key per PE the appraiser inventoried, with the metadata that turns a row in a CSV into a defensible finding. If you only learn one Amcache key, learn this one.
It is paired with Root\InventoryApplication (the installed-product catalogue) via ProgramId. The pairing is what splits AmcacheParser's output into the Associated and Unassociated CSVs, and the Unassociated CSV is where attacker tooling lives on most cases.
What you get per entry#
| Value | What it gives you |
|---|---|
Name |
Filename only. mimikatz.exe, update.exe, that sort of thing. |
LowerCaseLongPath |
Full path, lowercased. |
FileId |
"0000" + SHA-1 of the first 31 MiB. |
Size |
Bytes. |
IsPeFile |
1 if it's PE. |
IsOsComponent |
1 if Windows-shipped. Filter to 0 to cut noise. |
Publisher / PublisherName |
Signing CN and friendly publisher string. Empty for unsigned. |
Version, BinFileVersion, ProductVersion |
PE resource version strings. |
ProductName |
PE resource ProductName. |
LinkDate |
PE TimeDateStamp. Attacker-controlled. |
Language |
PE resource LCID. |
ProgramId |
44-char application identity. Joins to InventoryApplication. |
Usn |
USN journal entry at inventory time. |
Plus the registry key's own LastWriteTimestamp, surfaced by AmcacheParser as KeyLastWriteTimestamp. That is the closest thing to "when did the appraiser write this entry" and the right pivot for almost every time-based question.
The triage filter that does most of the work#
IsPeFile = True
AND Publisher is empty
AND FullPath under \Users\, \AppData\, \ProgramData\, or \Temp\
Apply that to *_UnassociatedFileEntries.csv and you get a list small enough to read by hand. Most rows are either commodity malware or the user installed something portable. Both are quick to resolve.
For the full key-by-key tour, see Amcache registry structure.
Related terms#
Related posts
- Where is the Amcache registry key?
Amcache is its own hive file, not a key under HKLM. Loaded on demand by the appraiser. Mounts at HKLM\Amcache when active.
- What is Amcache ProgramId? (glossary)
ProgramId is the 44-character application-identity hash Amcache stores. Stable across hosts for the same install. Catches re-compiles and renames where Hash misses.
- What is LinkDate in Amcache? (glossary)
LinkDate is the PE TimeDateStamp. Attacker-controllable. Use it for build clustering, not for host timelines.
- What is KeyLastWriteTimestamp in Amcache? (glossary)
The registry write time of the Amcache key. Closest thing to 'when the appraiser recorded this'. The single field new analysts most often confuse with LinkDate.