Posts tagged "glossary"

• What is SRUM (SRUDB.dat)? (glossary)

  SRUM is the Windows System Resource Usage Monitor — an ESE database recording per-application CPU, network, and I/O usage in hour buckets over 30-60 days.

  2026-05-24

• What is ShimCache (AppCompatCache)? (glossary)

  ShimCache is a kernel-maintained cache in the SYSTEM registry hive recording up to 1024 binaries the Windows loader has touched. Different from Amcache.

  2026-05-24

• What is Amcache ProgramId? (glossary)

  ProgramId is the 44-character application-identity hash Amcache assigns to each logical application. The same ProgramId on different hosts means the same application install.

  2026-05-24

• What is Windows Prefetch? (glossary)

  Prefetch is the Windows folder of .pf files recording every binary execution, with up to 8-10 run timestamps per binary and the files each one loaded. The strongest Windows execution evidence.

  2026-05-24

• What is LinkDate in Amcache? (glossary)

  LinkDate is the PE header TimeDateStamp Amcache records — when the binary was compiled or linked, not when it appeared on the host.

  2026-05-24

• What is KeyLastWriteTimestamp in Amcache? (glossary)

  KeyLastWriteTimestamp is the registry-level last-write time of an Amcache entry — the closest thing Amcache exposes to 'when the appraiser recorded this file'.

  2026-05-24

• What is Root\InventoryApplicationFile? (glossary)

  InventoryApplicationFile is the headline Amcache registry key — one sub-key per PE binary inventoried by the appraiser, with path, SHA-1, publisher, link date, and timestamps.

  2026-05-24

• What is Amcache FileId? (glossary)

  FileId is the 41-character identifier Amcache stores for each file — '0000' + the SHA-1 hex of the first 31 MiB of the file.

  2026-05-24

• What is DFIR triage? (glossary)

  DFIR triage is the rapid first-pass examination of a suspected-compromised host to confirm or rule out a compromise within minutes. Amcache is one of the fastest triage artefacts on Windows.

  2026-05-24

• What is the Compatibility Appraiser? (glossary)

  The Microsoft Compatibility Appraiser is the Windows scheduled task that inventories installed software and writes the records into Amcache.hve.

  2026-05-24

• What is BYOVD (Bring-Your-Own-Vulnerable-Driver)? (glossary)

  BYOVD is the attacker technique of dropping a legitimately-signed but exploitable kernel driver to gain kernel-mode execution. Amcache's InventoryDriverBinary records every loaded driver.

  2026-05-24

• What is Amcache.hve? (glossary)

  Amcache.hve is the Windows registry hive that records every PE binary the Compatibility Appraiser inventoried on the host, with hash, path, and inventory time.

  2026-05-24