What does a ProgramId look like?

44 hex characters with no prefix and no delimiters, often ending in '0000ffff' or similar, for example 0006fa0b2a9f8a4eb9d7c81e8b1f3c5d3e2a0000ffff.

Is ProgramId a hash of the binary?

No. ProgramId is computed from the application's metadata (name, publisher, version, language), not from the binary's bytes. For the content hash, use FileId.

Is ProgramId stable across hosts?

Yes — the same application install on different hosts typically shares the same ProgramId. This is what makes it valuable for cross-host hunts.

Is ProgramId stable across Windows feature upgrades?

Not always. Upgrading from Windows 10 21H2 to Windows 11 22H2 can change ProgramId values for the same application. Within a major build, ProgramId is stable.

When should I pivot on ProgramId vs Hash?

Use Hash for exact-binary matches; use ProgramId for family-level matches (rebuilds with the same name/publisher/version). For high-precision cross-host hunts, run both pivots and treat ProgramId matches with non-matching hashes as suspicious.

What is Amcache ProgramId? (glossary)

ProgramId is the 44-character application-identity hash Amcache assigns to each logical application. Unlike FileId, which hashes file content, ProgramId hashes application metadata — name, publisher, version, and language.

A typical value:

0006fa0b2a9f8a4eb9d7c81e8b1f3c5d3e2a0000ffff

Two properties make ProgramId valuable in DFIR:

Stable across hosts. The same Office 365 build on two different workstations gets the same ProgramId.
Joins file records to application records. A file in Root\InventoryApplicationFile and the parent application in Root\InventoryApplication share the value.

How it differs from FileId#

	FileId	ProgramId
Length	41 chars (`"0000"` + SHA-1)	44 chars
Hashes	First 31 MiB of file bytes	Application metadata
Per-binary unique	Yes	No — siblings share
Per-host unique	No	No — cross-host stable
Pivot use	Exact-binary cross-host	Application-family cross-host

When ProgramId wins#

Re-compiled tools with same identity. Attacker rebuilds their loader between hosts — Hash differs, ProgramId stays the same.
Renamed binaries. mimikatz.exe → svchost64.exe → update.exe. If the attacker did not scrub the PE version-info resource, ProgramId follows the binary across the renames.
Cross-host scoping. A single suspicious ProgramId on one host becomes a query against every other collected host's Amcache. See Lateral movement and Amcache ProgramId pivoting.

When ProgramId is the wrong pivot#

Living-off-the-land binaries. net.exe, psexec.exe, and certutil.exe share ProgramId across every host that has them. Pivot on command line instead.
Per-host implants. Truly per-victim malware produces unique ProgramId values per host. Use behavioural patterns (4624 logon, network indicators) for those.

For the full ProgramId reference, see Amcache ProgramId explained.

FileId — the content-hash identifier.
InventoryApplicationFile — where ProgramId is stored.
Amcache.hve — the hive.

What is Amcache ProgramId? (glossary)

How it differs from FileId#

When ProgramId wins#

When ProgramId is the wrong pivot#

Related terms#

Related posts