Posts tagged "qa"

• Why is my Amcache.hve empty?

  Three common causes: the Compatibility Appraiser is disabled, the host is freshly imaged, or you're collecting from a Server / Server Core where the appraiser runs much less often.

  2026-05-24

• Who created AmcacheParser?

  Eric Zimmerman, a former FBI special agent and current Senior Director at Kroll, created AmcacheParser as part of his open-source DFIR tool suite.

  2026-05-24

• Where is the Amcache registry key?

  Amcache is its own hive file at C:\Windows\AppCompat\Programs\Amcache.hve — not a key under HKLM. When loaded by tools or by Windows itself it mounts as HKLM\Amcache.

  2026-05-24

• What does Amcache.hve contain?

  Amcache.hve contains inventory records for every PE binary, driver, and connected device the Windows Compatibility Appraiser has seen — with SHA-1 hashes, paths, publishers, and timestamps.

  2026-05-24

• What's a .pf file vs an Amcache entry?

  .pf files are Windows Prefetch records — proof a binary executed, with run timestamps and loaded-files lists. Amcache entries record presence, with the SHA-1 hash and metadata.

  2026-05-24

• Is AmcacheParser free?

  Yes. AmcacheParser is free for any use including commercial DFIR work, published under a permissive license by Eric Zimmerman.

  2026-05-24

• Is Amcache.hve a log file?

  No. Amcache.hve is a Windows registry hive — a structured key-value tree in the same binary format as SYSTEM and NTUSER.DAT — not a flat log.

  2026-05-24

• How do I read Amcache.hve on Linux or macOS?

  Three options: dotnet AmcacheParser.dll with the .NET runtime, this site's browser-based parser (zero install), or any libhivex-based tool. None of them require Windows.

  2026-05-24

• How often is Amcache updated?

  The Compatibility Appraiser updates Amcache.hve roughly daily on Windows 10/11 workstations, every 2-5 days on servers, and weekly or longer on Server Core.

  2026-05-24

• Does Amcache record DLLs?

  Yes — on Windows 10 build 1709 and later, Amcache records DLLs alongside EXEs in InventoryApplicationFile. Pre-1709 hives may not.

  2026-05-24

• Can Amcache be cleared by attackers?

  Yes — an attacker with admin rights can edit or delete Amcache.hve, but the cleanup is detectable: Volume Shadow Copies, transaction logs, and the appraiser's own log usually preserve the prior state.

  2026-05-24

• What's the difference between Amcache and AppCompatCache?

  Amcache is a richer, appraiser-maintained registry hive with hashes and metadata. AppCompatCache (ShimCache) is a smaller, loader-maintained registry blob with paths and timestamps only.

  2026-05-24