How often is Amcache updated?

The Compatibility Appraiser updates Amcache.hve roughly daily on Windows 10/11 workstations, every 2 to 5 days on Windows Server with Desktop Experience, and weekly or longer on Server Core. The cadence comes from the scheduled task at \Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser, which combines idle-time triggers and time-based triggers with random delay and is power-aware.

For DFIR, this means Amcache lags real time:

Host type Typical lag from file-on-disk to Amcache entry
Windows 10/11 workstation Up to ~24 hours
Windows Server with Desktop Experience 2–5 days
Windows Server Core Up to a week or more
Laptop in Modern Standby Up to 36–48 hours
Battery-bound device Variable (appraiser skips on battery)

A binary dropped on a host may not appear in Amcache for that window. For sub-hour first-seen precision, use Sysmon File Create events (Event ID 11) or MFT $STANDARD_INFORMATION.CreationTime instead. Amcache excels at "present at some point" — not "present at this exact second."

Forcing the appraiser to run#

If you need fresh Amcache fast (during a triage), kick the task:

# Elevated PowerShell
Start-ScheduledTask `
  -TaskPath '\Microsoft\Windows\Application Experience\' `
  -TaskName 'Microsoft Compatibility Appraiser'
 
# Wait 30-60s, then check LastRunTime
Get-ScheduledTaskInfo `
  -TaskPath '\Microsoft\Windows\Application Experience\' `
  -TaskName 'Microsoft Compatibility Appraiser'

After completion, recollect Amcache.hve and its transaction logs.

When the appraiser is disabled#

Signs the appraiser is not running:

  • The scheduled task is disabled or has a stale LastRunTime.
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection\AllowTelemetry = 0 (Group Policy disables CEIP / telemetry).
  • Amcache.hve's KeyLastWriteTimestamp distribution stops at some date with no newer entries.

On a host where the appraiser is disabled, Amcache is frozen. It is not a useful artefact for events after the disablement time. Use Sysmon, EDR, and Security event log instead.

For the broader appraiser reference, see the Compatibility Appraiser glossary. For build-specific cadence details, see Amcache on Windows Server.

Tagsqaforensicswindowsamcacheappraiser

Related posts

  • Why is my Amcache.hve empty?

    Three common causes: the Compatibility Appraiser is disabled, the host is freshly imaged, or you're collecting from a Server / Server Core where the appraiser runs much less often.

  • Where is the Amcache registry key?

    Amcache is its own hive file at C:\Windows\AppCompat\Programs\Amcache.hve — not a key under HKLM. When loaded by tools or by Windows itself it mounts as HKLM\Amcache.

  • What does Amcache.hve contain?

    Amcache.hve contains inventory records for every PE binary, driver, and connected device the Windows Compatibility Appraiser has seen — with SHA-1 hashes, paths, publishers, and timestamps.

  • What's a .pf file vs an Amcache entry?

    .pf files are Windows Prefetch records — proof a binary executed, with run timestamps and loaded-files lists. Amcache entries record presence, with the SHA-1 hash and metadata.

Back to all posts