RegRipper amcache plugin: what it does and when to use it
RegRipper by
Harlan Carvey is the older of the two widely-used registry
parsers in DFIR — the Zimmerman suite's RECmd is the newer.
RegRipper's plugin architecture has supported Amcache for years via
the amcache plugin and its variants (amcache_tln for
timeline output).
If you are already using RegRipper for the rest of your registry
work, the amcache plugin is the right tool for interactive,
text-report parsing of Amcache.hve. If you need structured CSV
for downstream tools, AmcacheParser.exe is the better choice.
This page covers what the RegRipper amcache plugin does, what its
output looks like, when to reach for it, and how it compares to
AmcacheParser.
For the broader artefact reference, see the Amcache complete reference; for AmcacheParser specifically, see the AmcacheParser complete guide.
What the plugin does#
The amcache plugin opens Amcache.hve, walks the same keys
AmcacheParser walks (Root\InventoryApplicationFile, the legacy
Root\Programs, and so on, depending on plugin variant), decodes
the typed values, and writes a plain-text report to standard
output.
Typical invocation:
# Linux / WSL / macOS with Perl
rip.pl -r /path/to/Amcache.hve -p amcache > amcache_report.txt
# Windows
rip.exe -r C:\Triage\Amcache.hve -p amcache > amcache_report.txtThe report is organised by key and contains, for each entry, a human-readable block with the file path, hash, publisher, version, timestamps, and so on. There is no per-row CSV; the unit of output is the formatted text block.
Variants#
A few related plugins exist in the RegRipper repository:
| Plugin | Output |
|---|---|
amcache |
Standard text report per key. |
amcache_tln |
TLN-format (timeline) output suitable for ingestion into TLN frameworks. |
appcompatcache |
ShimCache parser (different artefact — see Amcache vs ShimCache). |
Use whichever matches your downstream tooling.
What the output looks like#
A representative amcache plugin output block (paraphrased,
formatting approximate):
File Reference : 0xABCD123456789ABC
File Path : c:\users\bob\appdata\local\temp\xyz1234.tmp.exe
File Size : 254464
SHA-1 : da39a3ee5e6b4b0d3255bfef95601890afd80709
PE Link Date : 2018-04-03 09:00:00 UTC
Publisher : (empty)
Product Name : (empty)
Product Version : (empty)
File Version : (empty)
Last Modified : 2026-04-19 02:14:55 UTC
Key Last Write : 2026-04-19 02:14:55 UTC
It is dense, readable as a single document, and well-suited to direct human reading. It is not well-suited to loading into a spreadsheet, joining against other CSVs, or filtering with PowerShell.
When to use the RegRipper plugin#
A few situations where the RegRipper plugin is the right choice:
You are already doing a RegRipper sweep#
If your workflow already runs RegRipper across SYSTEM,
SOFTWARE, NTUSER.DAT, SAM, and others, adding
-p amcache against Amcache.hve keeps everything in the same
report format. The continuity is worth more than the CSV
ergonomics for some analysts.
You want a single-document narrative#
For triage reports where you want to read Amcache rather than query it — an executive summary, a deliverable to a stakeholder, a forensic narrative — RegRipper's text output is already in the right format.
Cross-platform without .NET#
rip.pl is a Perl script. If you have Perl but no .NET runtime
(uncommon on a Windows analyst host, more common on a Linux
forensic VM), RegRipper works without dependency setup.
Timeline ingestion via amcache_tln#
If your timeline framework (Plaso, log2timeline, a homegrown TLN
processor) ingests TLN-format data, the amcache_tln variant
fits the pipeline directly. AmcacheParser does not emit TLN; you
would have to convert.
When to use AmcacheParser instead#
For most modern DFIR, AmcacheParser is the better default:
You need structured CSV#
The CSV per-category schema is dramatically easier to load into a spreadsheet, Timeline Explorer, a SIEM, or PowerShell for filtering and joining. RegRipper's text output requires regex or manual conversion to get to the same place.
You need the full modern Inventory* coverage#
RegRipper's amcache plugin covers the major keys but is not
guaranteed to be updated as quickly as AmcacheParser when new
Windows builds shift the schema. The Zimmerman tool is updated
quickly because it is maintained by an active DFIR practitioner.
You need transaction-log handling#
AmcacheParser handles registry transaction logs (Amcache.hve.LOG1,
.LOG2) correctly out of the box when you point at the hive and
keep the logs in the same directory. RegRipper handles them too
on recent versions, but the support is newer and more variable
across plugin versions. If you do not collect the logs
(see Where Amcache.hve is on disk),
neither tool can recover the missing data.
You want hash-pivot CSVs for cross-host hunts#
AmcacheParser's per-host CSVs are the standard input to the
hash / ProgramId pivot patterns described in
Lateral movement and Amcache ProgramId pivoting.
The pivots work against RegRipper output too — but you would have
to script the parsing.
Using both#
The two tools are not mutually exclusive. A common pattern:
- Run AmcacheParser for structured CSV — feed into Timeline Explorer, your SIEM, and cross-host pivots.
- Run RegRipper's
amcacheplugin for the text-narrative block for any specific entry of interest — copy/paste into your case notes, attach to your report.
Both read the same hive and produce consistent results. Using both is rarely confusing and often the right balance of "structured data" + "human-readable narrative."
Other RegRipper plugins worth knowing for Amcache work#
RegRipper's strength is its plugin library for the rest of the
registry. A few neighbours of amcache that matter for a full
Windows-host investigation:
| Plugin | What it parses |
|---|---|
appcompatcache |
ShimCache. See Amcache vs ShimCache. |
userassist |
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist — GUI-launched programs. |
runmru |
Most-recently-used "Run" dialog entries. |
usbstor |
HKLM\SYSTEM\...\Enum\USBSTOR — USB mass-storage history. |
setupapi |
setupapi.dev.log — driver-install timeline. |
services |
Windows services from SYSTEM. |
If you are using AmcacheParser for Amcache, you may still want RegRipper for these adjacent artefacts.
The browser-based alternative for triage#
If you want a quick look at a hive without installing either RegRipper or AmcacheParser, this site's browser-based parser runs in WebAssembly and shows every category and field. It is designed for triage and education, not as a replacement for either Zimmerman or RegRipper in full investigations.
See also#
- Amcache complete reference — the artefact in full.
- AmcacheParser complete guide — the Zimmerman tool.
- Volatility Amcache plugins — pulling the hive out of memory before parsing.
- Amcache vs ShimCache —
RegRipper's
appcompatcacheplugin parses ShimCache. - AmcacheParser output columns explained — what AmcacheParser's CSV contains, for comparison with RegRipper's text blocks.
Related posts
- Volatility and Amcache: extracting the hive from memory images
A practical guide to recovering Amcache from a Windows memory image using Volatility — when memory-side recovery is the only option, which plugins to use, and how to hand off to AmcacheParser.
- AmcacheParser output columns explained: every CSV field decoded
A field-by-field reference for AmcacheParser's CSV output — FileId, PathHash, ProgramId, LinkDate, BinFileVersion, IsPeFile, and every other column, with the pivots that matter in DFIR.
- AmcacheParser download guide: official sources, mirrors, and verification
Every way to download Eric Zimmerman's AmcacheParser — Get-ZimmermanTools, direct download, KAPE, Velociraptor — with checksum verification and air-gapped install patterns.
- AmcacheParser: the complete guide to Eric Zimmerman's tool
A definitive guide to AmcacheParser — what it does, how to install and run Eric Zimmerman's CLI, how to read its CSV output, and when to reach for the browser-based alternative.