What is Amcache ProgramId? (glossary)
ProgramId is the 44-character identity Amcache uses for a logical application. It is computed from metadata (name, publisher, version, language), not from binary content. Two completely different binaries with the same identity metadata get the same ProgramId; the same binary recompiled with different metadata gets a different one.
0006fa0b2a9f8a4eb9d7c81e8b1f3c5d3e2a0000ffff
Two things make it useful in DFIR. It is stable across hosts for the same install, and it joins a file in InventoryApplicationFile to its application record in InventoryApplication. The first is what makes it a hunt primitive. The second is what makes it a single-host investigation primitive.
ProgramId vs FileId#
| FileId | ProgramId | |
|---|---|---|
| Length | 41 chars ("0000" + SHA-1) |
44 chars |
| What it hashes | First 31 MiB of file bytes | Application metadata |
| Identifies a binary uniquely? | Yes | No, siblings share |
| Stable cross-host? | Only for identical bytes | Yes, for the same install |
| Best for | Exact-binary cross-host | Application-family cross-host |
When ProgramId wins#
- The attacker rebuilds their loader between hosts. Different bytes, different
Hash. Same name/publisher/version metadata.ProgramIdfollows. - The attacker renames
mimikatz.exetoupdate.exe. If they didn't scrub the version-info resource,ProgramIdfollows. - You want to scope spread across the estate. One suspicious
ProgramIdbecomes a query against every collected host's Amcache CSV. See Lateral movement and Amcache ProgramId pivoting.
When ProgramId is the wrong pivot#
- LOLBINs.
net.exe,psexec.exe,certutil.exehave the sameProgramIdon every host. Matches are noise. Pivot on command line via Security 4688 instead. - Per-host implants. Truly per-victim malware produces a unique
ProgramIdper host. You need behavioural patterns (logon source, network telemetry) for those.
For the long-form reference, see Amcache ProgramId explained.
Related terms#
Related posts
- What is LinkDate in Amcache? (glossary)
LinkDate is the PE TimeDateStamp. Attacker-controllable. Use it for build clustering, not for host timelines.
- What is KeyLastWriteTimestamp in Amcache? (glossary)
The registry write time of the Amcache key. Closest thing to 'when the appraiser recorded this'. The single field new analysts most often confuse with LinkDate.
- What is Root\InventoryApplicationFile? (glossary)
The principal Amcache key. One sub-key per PE the appraiser inventoried, with hash, path, publisher, link date, and a registry write time. Where 90% of analyst time goes.
- What is Amcache FileId? (glossary)
FileId is '0000' plus the SHA-1 of the first 31 MiB of the file. Strip the prefix before you hit VirusTotal or you will silently get back nothing.