Is Amcache.hve a log file?

No. Amcache.hve is a Windows registry hive, not a log file.

It uses the same binary format as the SYSTEM, SOFTWARE, SAM, SECURITY, and NTUSER.DAT hives. The file is a structured tree of keys and typed values — added, updated, and occasionally deleted in place — not an append-only stream of events.

Specifically:

• A log file records events sequentially. Each line is a discrete event; readers parse line-by-line.
• A registry hive stores a tree of keys (like folders) and values (typed: REG_SZ, REG_DWORD, REG_QWORD, etc.). Readers walk the tree.

Amcache holds, for example, one sub-key per inventoried PE binary under Root\InventoryApplicationFile. Each sub-key contains 15-20 typed values: name, path, SHA-1 hash, link date, publisher, version, and so on.

What about Amcache.hve.LOG1 and Amcache.hve.LOG2?#

Those are log files — but they are registry transaction logs, not event logs. They are the same write-ahead log mechanism every registry hive uses to buffer recent writes before they flush into the main hive file. They are not human-readable and are not used for event auditing.

Always collect all three files together — the hive and both logs. If you take only the hive, you can silently miss the most recent writes that are still in the logs.

For the file paths and collection workflow, see Where Amcache.hve is on disk.

How to read Amcache.hve#

You need a hive-aware parser:

• AmcacheParser.exe (Eric Zimmerman) — the canonical Windows-side parser. Produces CSV per Inventory* category. See the AmcacheParser complete guide.
• RegRipper amcache plugin (Harlan Carvey) — text-report output. See RegRipper amcache plugin.
• This site's browser-based parser — Rust + WebAssembly, no install. Drop the hive on the home page.

For the broader artefact context, see the Amcache complete reference.