Posts tagged "forensics"

• Why is my Amcache.hve empty?

  Three common causes: the Compatibility Appraiser is disabled, the host is freshly imaged, or you're collecting from a Server / Server Core where the appraiser runs much less often.

  2026-05-24

• Where is the Amcache registry key?

  Amcache is its own hive file at C:\Windows\AppCompat\Programs\Amcache.hve — not a key under HKLM. When loaded by tools or by Windows itself it mounts as HKLM\Amcache.

  2026-05-24

• What does Amcache.hve contain?

  Amcache.hve contains inventory records for every PE binary, driver, and connected device the Windows Compatibility Appraiser has seen — with SHA-1 hashes, paths, publishers, and timestamps.

  2026-05-24

• Volatility and Amcache: extracting the hive from memory images

  A practical guide to recovering Amcache from a Windows memory image using Volatility — when memory-side recovery is the only option, which plugins to use, and how to hand off to AmcacheParser.

  2026-05-24

• RegRipper amcache plugin: what it does and when to use it

  A practical guide to RegRipper's amcache plugin — what it parses, how its text output differs from AmcacheParser's CSV, and when to reach for it instead of (or alongside) the Zimmerman tool.

  2026-05-24

• What's a .pf file vs an Amcache entry?

  .pf files are Windows Prefetch records — proof a binary executed, with run timestamps and loaded-files lists. Amcache entries record presence, with the SHA-1 hash and metadata.

  2026-05-24

• Is Amcache.hve a log file?

  No. Amcache.hve is a Windows registry hive — a structured key-value tree in the same binary format as SYSTEM and NTUSER.DAT — not a flat log.

  2026-05-24

• How do I read Amcache.hve on Linux or macOS?

  Three options: dotnet AmcacheParser.dll with the .NET runtime, this site's browser-based parser (zero install), or any libhivex-based tool. None of them require Windows.

  2026-05-24

• How often is Amcache updated?

  The Compatibility Appraiser updates Amcache.hve roughly daily on Windows 10/11 workstations, every 2-5 days on servers, and weekly or longer on Server Core.

  2026-05-24

• What is SRUM (SRUDB.dat)? (glossary)

  SRUM is the Windows System Resource Usage Monitor — an ESE database recording per-application CPU, network, and I/O usage in hour buckets over 30-60 days.

  2026-05-24

• What is ShimCache (AppCompatCache)? (glossary)

  ShimCache is a kernel-maintained cache in the SYSTEM registry hive recording up to 1024 binaries the Windows loader has touched. Different from Amcache.

  2026-05-24

• What is Amcache ProgramId? (glossary)

  ProgramId is the 44-character application-identity hash Amcache assigns to each logical application. The same ProgramId on different hosts means the same application install.

  2026-05-24

• What is Windows Prefetch? (glossary)

  Prefetch is the Windows folder of .pf files recording every binary execution, with up to 8-10 run timestamps per binary and the files each one loaded. The strongest Windows execution evidence.

  2026-05-24

• What is LinkDate in Amcache? (glossary)

  LinkDate is the PE header TimeDateStamp Amcache records — when the binary was compiled or linked, not when it appeared on the host.

  2026-05-24

• What is KeyLastWriteTimestamp in Amcache? (glossary)

  KeyLastWriteTimestamp is the registry-level last-write time of an Amcache entry — the closest thing Amcache exposes to 'when the appraiser recorded this file'.

  2026-05-24

• What is Root\InventoryApplicationFile? (glossary)

  InventoryApplicationFile is the headline Amcache registry key — one sub-key per PE binary inventoried by the appraiser, with path, SHA-1, publisher, link date, and timestamps.

  2026-05-24

• What is Amcache FileId? (glossary)

  FileId is the 41-character identifier Amcache stores for each file — '0000' + the SHA-1 hex of the first 31 MiB of the file.

  2026-05-24

• What is DFIR triage? (glossary)

  DFIR triage is the rapid first-pass examination of a suspected-compromised host to confirm or rule out a compromise within minutes. Amcache is one of the fastest triage artefacts on Windows.

  2026-05-24

• What is the Compatibility Appraiser? (glossary)

  The Microsoft Compatibility Appraiser is the Windows scheduled task that inventories installed software and writes the records into Amcache.hve.

  2026-05-24

• What is BYOVD (Bring-Your-Own-Vulnerable-Driver)? (glossary)

  BYOVD is the attacker technique of dropping a legitimately-signed but exploitable kernel driver to gain kernel-mode execution. Amcache's InventoryDriverBinary records every loaded driver.

  2026-05-24

• What is Amcache.hve? (glossary)

  Amcache.hve is the Windows registry hive that records every PE binary the Compatibility Appraiser inventoried on the host, with hash, path, and inventory time.

  2026-05-24

• Does Amcache record DLLs?

  Yes — on Windows 10 build 1709 and later, Amcache records DLLs alongside EXEs in InventoryApplicationFile. Pre-1709 hives may not.

  2026-05-24

• Can Amcache be cleared by attackers?

  Yes — an attacker with admin rights can edit or delete Amcache.hve, but the cleanup is detectable: Volume Shadow Copies, transaction logs, and the appraiser's own log usually preserve the prior state.

  2026-05-24

• AmcacheParser output columns explained: every CSV field decoded

  A field-by-field reference for AmcacheParser's CSV output — FileId, PathHash, ProgramId, LinkDate, BinFileVersion, IsPeFile, and every other column, with the pivots that matter in DFIR.

  2026-05-24

• AmcacheParser download guide: official sources, mirrors, and verification

  Every way to download Eric Zimmerman's AmcacheParser — Get-ZimmermanTools, direct download, KAPE, Velociraptor — with checksum verification and air-gapped install patterns.

  2026-05-24

• AmcacheParser: the complete guide to Eric Zimmerman's tool

  A definitive guide to AmcacheParser — what it does, how to install and run Eric Zimmerman's CLI, how to read its CSV output, and when to reach for the browser-based alternative.

  2026-05-24

• AmcacheParser CLI cheatsheet: every flag, with worked examples

  A practical command-line reference for Eric Zimmerman's AmcacheParser — every flag explained, with KAPE, Velociraptor, and PowerShell batch-processing patterns you can copy and paste.

  2026-05-24

• Amcache on Windows Server: cadence, coverage, and quirks

  Amcache on Windows Server 2016, 2019, 2022, and 2025 — appraiser cadence differences from desktop, what changes for hardened or Core installs, and the patterns that matter for server-side DFIR.

  2026-05-24

• Amcache on Windows 11 and Windows 10: schema, cadence, and quirks

  How Amcache.hve behaves on modern Windows 10 and Windows 11 — the Inventory* schema introduced in 1709, the appraiser cadence, and the build-specific quirks worth knowing.

  2026-05-24

• Amcache vs SRUM: presence vs long-window resource usage

  SRUM tracks resource usage by application over 30+ days; Amcache inventories every binary present on disk. Here is how they complement each other in a Windows DFIR timeline.

  2026-05-24

• Amcache vs ShimCache: when each artefact wins

  ShimCache and Amcache both record binaries that touched a Windows host. They are different mechanisms with different limits — here is when to use each, and what their overlap actually proves.

  2026-05-24

• Amcache vs Prefetch: what each one really proves

  Amcache records presence; Prefetch records execution. A practical reference for when to use each, what they overlap on, and how to combine them in a DFIR timeline.

  2026-05-24

• What's the difference between Amcache and AppCompatCache?

  Amcache is a richer, appraiser-maintained registry hive with hashes and metadata. AppCompatCache (ShimCache) is a smaller, loader-maintained registry blob with paths and timestamps only.

  2026-05-24

• USB and device history from Amcache: InventoryDeviceContainer and InventoryDevicePnp

  Amcache's InventoryDeviceContainer and InventoryDevicePnp keys give analysts a clean answer to 'what hardware ever connected to this host?'. A practical guide to USB and peripheral investigations.

  2026-05-24

• Amcache timestamps explained: KeyLastWriteTimestamp vs LinkDate vs the rest

  A reference for every timestamp Amcache exposes — KeyLastWriteTimestamp, LinkDate, InstallDate, MsiInstallDate, LastModified — what each one means, and which one to pivot on.

  2026-05-24

• Amcache registry structure: every key explained

  A key-by-key tour of the Amcache.hve registry hive — Root\\InventoryApplicationFile, InventoryApplication, InventoryDriverBinary, the legacy Programs and File keys, and what every notable value means.

  2026-05-24

• Amcache ProgramId explained: the 44-character application identity

  A reference for Amcache's ProgramId — how Windows builds the 44-character identity hash, how to use it to join file records to applications, and how to pivot it across hosts in a hunt.

  2026-05-24

• Amcache parsers compared: AmcacheParser CLI, browser tool, Volatility, RegRipper

  Side-by-side comparison of the four ways to parse a Windows Amcache.hve hive in 2026 — Eric Zimmerman's AmcacheParser CLI, the browser tool, Volatility 3, and RegRipper.

  2026-05-24

• Hunting commodity malware with Amcache

  A practical Amcache-first triage playbook for commodity malware on Windows endpoints — the filters that surface attacker tooling, the pivots that confirm execution, and the cross-host queries that scope the incident.

  2026-05-24

• Lateral movement and Amcache: ProgramId pivoting across hosts

  A single suspicious ProgramId on one host becomes a query you can run against every other host's Amcache. The full lateral-movement scoping playbook with concrete queries.

  2026-05-24

• The definitive Amcache.hve forensic reference: every key, every value, every timestamp

  A field-by-field, schema-by-schema reference for Windows Amcache.hve — what each Inventory* subkey records, what every timestamp actually means, how the schema evolved from Windows 7 through Windows 11, and what Amcache can and cannot prove in DFIR.

  2026-05-24

• Where Amcache.hve is located on disk (and how to collect it)

  The exact file paths for Amcache.hve and its transaction logs across Windows versions, plus the right way to collect them for forensic analysis with KAPE, Velociraptor, or manually.

  2026-05-24

• Recovering deleted-binary evidence from Amcache

  When an attacker deletes a binary, Amcache often preserves its hash, path, publisher, and inventory time. A practical workflow for using Amcache to investigate wiped artefacts.

  2026-05-24

• Amcache: the complete Windows .hve forensics reference

  Amcache is the Windows registry hive that records every PE binary the appraiser has inventoried, with SHA-1, path, publisher, and inventory time. Full reference.

  2026-05-24

• Understanding Amcache for Windows forensics

  What Amcache.hve records, why it matters, and how this parser reads it entirely in your browser.

  2026-05-10

• Amcache FileId explained: the SHA-1 hash format Windows stores

  A deep dive on Amcache's FileId field — why it starts with 0000, why it's a SHA-1 of the first 31 MiB, how to use it for VirusTotal lookups, and the traps that mislead analysts.

  2026-05-24