How do I read Amcache.hve on Linux or macOS?
You don't need Windows to read Amcache. Three good options, in order from "production DFIR" to "quick triage":
Option 1 — dotnet AmcacheParser.dll (recommended for analysts)#
Eric Zimmerman publishes a framework-dependent .NET build of
AmcacheParser that runs anywhere .NET runs. Same tool, same
flags, same output as Windows.
# Install .NET runtime
# Debian/Ubuntu
sudo apt install dotnet-runtime-6.0
# RHEL/Fedora
sudo dnf install dotnet-runtime-6.0
# macOS
brew install dotnet
# Then run AmcacheParser
dotnet /opt/ztools/net6/AmcacheParser/AmcacheParser.dll \
-f /cases/inc-042/HOST01/Amcache.hve \
--csv /cases/inc-042/HOST01/out \
--csvf HOST01_amcache.csv \
--mpSame per-category CSVs you'd get on Windows. This is the right choice for full investigations on a non-Windows analyst host.
Option 2 — browser-based (no install)#
Drop Amcache.hve on this site's home page and the parser
runs entirely in your browser. The file never leaves your
browser — parsing is client-side Rust compiled to WebAssembly.
Works on:
- Any desktop / laptop OS with a modern browser (Chrome, Firefox, Safari, Edge).
- ChromeOS, BSD, anything with a browser.
- Mobile devices (Android, iOS) — though the UI is desktop-first.
Best for triage, education, and quick lookups when you don't want to install anything. For full investigations, use Option 1.
Option 3 — libhivex / Python#
For programmatic access, libhivex (the Linux registry-hive library) has Python bindings:
import hivex
h = hivex.Hivex('/cases/inc-042/HOST01/Amcache.hve')
root = h.root()
# Walk Root\InventoryApplicationFile
inv = h.node_get_child(root, 'Root')
inv_files = h.node_get_child(inv, 'InventoryApplicationFile')
for child in h.node_children(inv_files):
name = h.node_name(child)
values = {h.value_key(v): h.value_value(v) for v in h.node_values(child)}
print(name, values)You'll need to decode Windows FILETIME values, parse the
"0000" + SHA-1 FileId format, and walk the tree yourself.
There's no off-the-shelf Python Amcache parser with the same CSV
schema as AmcacheParser — but if you need programmatic / scripted
access, hivex is the right primitive.
What about Volatility?#
If you only have a Windows memory image (no disk), use Volatility to dump the in-memory copy of Amcache, then feed the dumped file to one of the above options.
# Volatility 3 — find the hive in the hive list
vol -f memory.dmp windows.registry.hivelist | grep -i amcache
# Dump it
vol -f memory.dmp windows.registry.dumphive --offset 0xfffff8a0... > Amcache.hve
# Then parse with AmcacheParser as aboveSee Volatility and Amcache for the full memory-extraction workflow.
Quick decision#
| You want to... | Use |
|---|---|
| Full investigation, structured CSV | Option 1 (dotnet AmcacheParser.dll) |
| Quick triage / one-off look | Option 2 (browser) |
| Custom script / pipeline integration | Option 3 (libhivex / Python) |
| Parse from a memory dump | Volatility → Option 1 |
For the broader artefact context, see the Amcache complete reference.
Related posts
- Why is my Amcache.hve empty?
Three common causes: the Compatibility Appraiser is disabled, the host is freshly imaged, or you're collecting from a Server / Server Core where the appraiser runs much less often.
- Where is the Amcache registry key?
Amcache is its own hive file at C:\Windows\AppCompat\Programs\Amcache.hve — not a key under HKLM. When loaded by tools or by Windows itself it mounts as HKLM\Amcache.
- What does Amcache.hve contain?
Amcache.hve contains inventory records for every PE binary, driver, and connected device the Windows Compatibility Appraiser has seen — with SHA-1 hashes, paths, publishers, and timestamps.
- What's a .pf file vs an Amcache entry?
.pf files are Windows Prefetch records — proof a binary executed, with run timestamps and loaded-files lists. Amcache entries record presence, with the SHA-1 hash and metadata.