Posts tagged "forensics"
- Why is my Amcache.hve empty?
Three causes in order of frequency: appraiser disabled, host freshly imaged, or you're on a Server where the cadence is naturally slow. Tampering is a distant fourth.
2026-05-24
- Where is the Amcache registry key?
Amcache is its own hive file, not a key under HKLM. Loaded on demand by the appraiser. Mounts at HKLM\Amcache when active.
2026-05-24
- What does Amcache.hve contain?
Inventory records for every PE, driver, application, and connected device the Compatibility Appraiser has seen. SHA-1, full path, publisher, and timestamps per entry.
2026-05-24
- Volatility and Amcache: extracting the hive from memory images
When you only have a RAM dump, Volatility extracts the in-memory copy of Amcache.hve. Hand off to AmcacheParser. The cases where this is the only option.
2026-05-24
- RegRipper amcache plugin: what it does and when to use it
RegRipper's amcache plugin produces a plain-text Amcache report. Useful when you're already running RegRipper across other hives or need narrative output. Use AmcacheParser when you need CSV.
2026-05-24
- What's a .pf file vs an Amcache entry?
.pf is execution proof with run times. Amcache is presence with hash and metadata. Same binary in both, only one, or neither, and which combination it is matters.
2026-05-24
- Is Amcache.hve a log file?
No. It's a registry hive in the same binary format as SYSTEM and NTUSER.DAT. A tree of typed keys, not a flat append-only stream.
2026-05-24
- How do I read Amcache.hve on Linux or macOS?
Three options. dotnet AmcacheParser.dll, the browser parser on this site, or any libhivex-based tool. None of them require Windows.
2026-05-24
- How often is Amcache updated?
Roughly daily on Windows 10/11 workstations. Every 2-5 days on Servers. Weeks on Server Core. Amcache lags reality. Plan timelines around that.
2026-05-24
- What is SRUM (SRUDB.dat)? (glossary)
SRUM is the ESE database Windows uses to track per-application resource usage by hour over 30-60 days. The only Windows artefact with per-app network-byte totals. Critical for exfil.
2026-05-24
- What is Shimcache (AppCompatCache)? (glossary)
Shimcache is the kernel-maintained loader cache in the SYSTEM hive. 1024 entries, no hash, stale until reboot. Different from Amcache; pair them.
2026-05-24
- What is Amcache ProgramId? (glossary)
ProgramId is the 44-character application-identity hash Amcache stores. Stable across hosts for the same install. Catches re-compiles and renames where Hash misses.
2026-05-24
- What is Windows Prefetch? (glossary)
Windows Prefetch is the directory of .pf files that proves execution. Up to 8-10 run times per binary plus the files loaded in the first ten seconds. The strongest Windows execution evidence.
2026-05-24
- What is LinkDate in Amcache? (glossary)
LinkDate is the PE TimeDateStamp. Attacker-controllable. Use it for build clustering, not for host timelines.
2026-05-24
- What is KeyLastWriteTimestamp in Amcache? (glossary)
The registry write time of the Amcache key. Closest thing to 'when the appraiser recorded this'. The single field new analysts most often confuse with LinkDate.
2026-05-24
- What is Root\InventoryApplicationFile? (glossary)
The principal Amcache key. One sub-key per PE the appraiser inventoried, with hash, path, publisher, link date, and a registry write time. Where 90% of analyst time goes.
2026-05-24
- What is Amcache FileId? (glossary)
FileId is '0000' plus the SHA-1 of the first 31 MiB of the file. Strip the prefix before you hit VirusTotal or you will silently get back nothing.
2026-05-24
- What is DFIR triage? (glossary)
Triage is the fast pass that decides whether a host is worth a full investigation. Amcache is one of the cheapest, most productive artefacts in the triage kit.
2026-05-24
- What is the Compatibility Appraiser? (glossary)
The scheduled task that walks the filesystem, inventories PE files, and writes the records into Amcache.hve. Understand its cadence or misread your timeline.
2026-05-24
- What is BYOVD (Bring-Your-Own-Vulnerable-Driver)? (glossary)
BYOVD is the trick of loading a signed-but-broken kernel driver to get ring 0 without bypassing Driver Signature Enforcement. Amcache's driver records are how you spot it.
2026-05-24
- What is Amcache.hve? (glossary)
Amcache.hve is the Windows hive the Compatibility Appraiser writes every PE it finds into, with SHA-1, full path, publisher, and an inventory timestamp. Survives the binary it records.
2026-05-24
- Does Amcache record DLLs?
Yes, on Windows 10 build 1709 and later. InventoryApplicationFile records both EXEs and DLLs classified as PE. Pre-1709 hives can't be trusted to.
2026-05-24
- Can Amcache be cleared by attackers?
Yes, with admin. No, not cleanly. Shadow copies, transaction logs, and the appraiser's own footprint usually preserve the prior state. Tampering is one of the more reliably caught attacker behaviours on Windows.
2026-05-24
- AmcacheParser output columns explained: every CSV field decoded
Field-by-field reference for AmcacheParser's CSV output. FileId, PathHash, ProgramId, LinkDate, BinFileVersion, IsPeFile, and every other column, with the pivots that matter.
2026-05-24
- AmcacheParser download guide: official sources, mirrors, and verification
Where to get AmcacheParser. Get-ZimmermanTools, direct download, KAPE, Velociraptor. Plus checksum verification and the air-gapped install pattern.
2026-05-24
- AmcacheParser: the complete guide to Eric Zimmerman's tool
The reference for AmcacheParser. What it does, how to install and run it, how to read the CSVs, and when the browser parser is the better tool for the moment.
2026-05-24
- AmcacheParser CLI cheatsheet: every flag, with worked examples
Copy-paste reference for AmcacheParser.exe. Every flag explained. KAPE, Velociraptor, and PowerShell batch patterns you can use directly.
2026-05-24
- Amcache on Windows Server: cadence, coverage, and quirks
Server Amcache: same format, same schema, much slower appraiser cadence and a different operating context. The patterns that matter for server-side DFIR.
2026-05-24
- Amcache on Windows 11 and Windows 10: schema, cadence, and quirks
Modern Amcache. The Inventory* schema introduced in 1709, the appraiser cadence, and the build-specific quirks worth knowing before you misread evidence.
2026-05-24
- Amcache vs SRUM: presence vs long-window resource usage
SRUM tracks per-app resource usage by hour over 30-60 days. Amcache inventories every PE on disk. They overlap on almost nothing and pair beautifully on exfil cases.
2026-05-24
- Amcache vs Prefetch: what each one really proves
Amcache records presence. Prefetch records execution. Where they overlap, they corroborate. Where they diverge, the divergence is the finding.
2026-05-24
- What's the difference between Amcache and AppCompatCache?
Amcache is rich, appraiser-maintained, with hashes. AppCompatCache (Shimcache) is sparse, kernel-maintained, with paths and a modify timestamp. Use both. The gaps between them are information.
2026-05-24
- USB and device history from Amcache: InventoryDeviceContainer and InventoryDevicePnp
Amcache's device records give you the cleanest 'what hardware ever touched this machine?' tabular view Windows offers. Plus the limits and the join key.
2026-05-24
- Amcache timestamps explained: KeyLastWriteTimestamp vs LinkDate vs the rest
Every timestamp Amcache exposes, what each one means, and which one to pivot on. Confusing them is the #1 mistake new analysts make.
2026-05-24
- Amcache registry structure: every key explained
Key-by-key tour of Amcache.hve. Root\InventoryApplicationFile, InventoryApplication, InventoryDriverBinary, the legacy Programs and File keys, and what every notable value means.
2026-05-24
- Amcache ProgramId explained: the 44-character application identity
ProgramId is the 44-char identity hash Windows computes from application metadata. Stable across hosts. The pivot that catches re-compiles where Hash misses.
2026-05-24
- Amcache parsers compared: AmcacheParser CLI, browser tool, Volatility, RegRipper
Four mature parsers for Amcache.hve. Same hive, different workflows. The decision rule comes down to install footprint, batchability, and where each one wins.
2026-05-24
- Hunting commodity malware with Amcache
An Amcache-first triage playbook for commodity malware on Windows. The filters that surface attacker tooling, the pivots that confirm execution, and the cross-host queries that scope the incident.
2026-05-24
- Lateral movement and Amcache: ProgramId pivoting across hosts
One suspicious ProgramId or Hash on host A becomes a query against every other host's Amcache. The playbook for scoping the spread across the estate.
2026-05-24
- The definitive Amcache.hve forensic reference: every key, every value, every timestamp
Field-by-field, schema-by-schema. What each Inventory* sub-key holds, what every timestamp means, how the schema evolved from Windows 7 to 11, and what Amcache will and will not prove.
2026-05-24
- Where Amcache.hve is located on disk (and how to collect it)
Path: C:\Windows\AppCompat\Programs\Amcache.hve plus the .LOG files. Always all three. Plus the right way to collect from a live host and from shadow copies.
2026-05-24
- Recovering deleted-binary evidence from Amcache
Amcache outlives the binaries it records. Path, SHA-1, publisher, link date, and inventory time persist for months after the attacker wipes the file. The practical workflow.
2026-05-24
- Amcache: the complete Windows .hve forensics reference
Amcache is the hive the Compatibility Appraiser writes every PE on disk into, with SHA-1, full path, publisher, link date, and a key write time. The reference, from format to investigative use.
2026-05-24
- Understanding Amcache for Windows forensics
What Amcache.hve records, why it matters, and how this parser reads it entirely in your browser.
2026-05-10
- Amcache FileId explained: the SHA-1 hash format Windows stores
FileId is '0000' plus the SHA-1 of the first 31 MiB. Strip the prefix or your VirusTotal lookups silently return nothing. The full reference, with the traps.
2026-05-24