How do I read Amcache.hve on Linux or macOS?
You don't need Windows to read Amcache. Three options, in order from "full investigation" to "quick look".
Option 1: dotnet AmcacheParser.dll#
The Zimmerman build is framework-dependent .NET. Install the runtime, run the DLL. Same tool, same flags, same output.
# Debian / Ubuntu
sudo apt install dotnet-runtime-6.0
# RHEL / Fedora
sudo dnf install dotnet-runtime-6.0
# macOS
brew install dotnet
# Run
dotnet /opt/ztools/net6/AmcacheParser/AmcacheParser.dll \
-f /cases/inc-042/HOST01/Amcache.hve \
--csv /cases/inc-042/HOST01/out \
--csvf HOST01_amcache.csv \
--mpYou get the same per-category CSVs you would on Windows. Right choice for a full investigation on a non-Windows analyst host.
Option 2: browser, no install#
Drop Amcache.hve on this site's home page. The parser runs entirely in your browser. The file never leaves your browser. Parsing is Rust compiled to WebAssembly. Works on:
- Any desktop OS with a modern browser.
- ChromeOS, BSD, anything with a browser.
- Mobile, though the UI is desktop-first.
Right for triage, education, and quick lookups when you do not want to install anything. For a full investigation on a non-Windows workstation, prefer Option 1, because the CLI is scriptable.
Option 3: libhivex / Python#
For programmatic access. libhivex is the Linux registry-hive library and has Python bindings:
import hivex
h = hivex.Hivex('/cases/inc-042/HOST01/Amcache.hve')
root = h.root()
inv = h.node_get_child(root, 'Root')
inv_files = h.node_get_child(inv, 'InventoryApplicationFile')
for child in h.node_children(inv_files):
name = h.node_name(child)
values = {h.value_key(v): h.value_value(v) for v in h.node_values(child)}
print(name, values)You will need to decode Windows FILETIME values, parse the "0000" + SHA-1 FileId format, and walk the tree yourself. There is no off-the-shelf Python parser producing the same CSV schema as AmcacheParser. If you need scripted access this is the right primitive.
From a memory image#
If all you have is a Windows RAM dump, use Volatility to extract the in-memory hive first:
vol -f memory.dmp windows.registry.hivelist | grep -i amcache
vol -f memory.dmp windows.registry.dumphive --offset 0xfffff8a0... > Amcache.hveThen parse the dumped hive with Option 1, 2, or 3. The full memory workflow is in Volatility and Amcache.
Quick decision table#
| You want | Use |
|---|---|
| Full investigation, structured CSV | Option 1 |
| Quick triage, no install | Option 2 |
| Script integration or custom pipeline | Option 3 |
| Parse from memory | Volatility, then Option 1 |
For the broader artefact context, see the Amcache complete reference.
Related posts
- Why is my Amcache.hve empty?
Three causes in order of frequency: appraiser disabled, host freshly imaged, or you're on a Server where the cadence is naturally slow. Tampering is a distant fourth.
- Where is the Amcache registry key?
Amcache is its own hive file, not a key under HKLM. Loaded on demand by the appraiser. Mounts at HKLM\Amcache when active.
- What does Amcache.hve contain?
Inventory records for every PE, driver, application, and connected device the Compatibility Appraiser has seen. SHA-1, full path, publisher, and timestamps per entry.
- What's a .pf file vs an Amcache entry?
.pf is execution proof with run times. Amcache is presence with hash and metadata. Same binary in both, only one, or neither, and which combination it is matters.