What is Amcache ProgramId? (glossary)

ProgramId is the 44-character identity Amcache uses for a logical application. It is computed from metadata (name, publisher, version, language), not from binary content. Two completely different binaries with the same identity metadata get the same ProgramId; the same binary recompiled with different metadata gets a different one.

0006fa0b2a9f8a4eb9d7c81e8b1f3c5d3e2a0000ffff

Two things make it useful in DFIR. It is stable across hosts for the same install, and it joins a file in InventoryApplicationFile to its application record in InventoryApplication. The first is what makes it a hunt primitive. The second is what makes it a single-host investigation primitive.

ProgramId vs FileId#

FileId ProgramId
Length 41 chars ("0000" + SHA-1) 44 chars
What it hashes First 31 MiB of file bytes Application metadata
Identifies a binary uniquely? Yes No, siblings share
Stable cross-host? Only for identical bytes Yes, for the same install
Best for Exact-binary cross-host Application-family cross-host

When ProgramId wins#

  • The attacker rebuilds their loader between hosts. Different bytes, different Hash. Same name/publisher/version metadata. ProgramId follows.
  • The attacker renames mimikatz.exe to update.exe. If they didn't scrub the version-info resource, ProgramId follows.
  • You want to scope spread across the estate. One suspicious ProgramId becomes a query against every collected host's Amcache CSV. See Lateral movement and Amcache ProgramId pivoting.

When ProgramId is the wrong pivot#

  • LOLBINs. net.exe, psexec.exe, certutil.exe have the same ProgramId on every host. Matches are noise. Pivot on command line via Security 4688 instead.
  • Per-host implants. Truly per-victim malware produces a unique ProgramId per host. You need behavioural patterns (logon source, network telemetry) for those.

For the long-form reference, see Amcache ProgramId explained.

Related posts

Back to all posts