Understanding Amcache for Windows forensics

Amcache.hve is a Windows registry hive that stores metadata about programs that have been present or executed on a system. For digital forensics and incident response it is one of the richest execution-artifact sources.

What this tool does#

This parser compiles a Rust registry-hive reader (nt-hive) to WebAssembly. Your Amcache.hve file is read into memory and parsed locally — it is never uploaded to any server.

Categories parsed#

  • InventoryApplicationFile — per-file metadata (SHA-1 FileId, paths, version)
  • InventoryApplication — installed applications
  • InventoryDriverBinary — loaded driver binaries
  • InventoryDeviceContainer — connected devices
  • and the remaining Inventory*, legacy File and Programs keys

Drop a hive on the home page to see every value, filter, and export JSON.

Tagsforensicswindowsamcache

Related posts

  • Why is my Amcache.hve empty?

    Three common causes: the Compatibility Appraiser is disabled, the host is freshly imaged, or you're collecting from a Server / Server Core where the appraiser runs much less often.

  • Where is the Amcache registry key?

    Amcache is its own hive file at C:\Windows\AppCompat\Programs\Amcache.hve — not a key under HKLM. When loaded by tools or by Windows itself it mounts as HKLM\Amcache.

  • What does Amcache.hve contain?

    Amcache.hve contains inventory records for every PE binary, driver, and connected device the Windows Compatibility Appraiser has seen — with SHA-1 hashes, paths, publishers, and timestamps.

  • Volatility and Amcache: extracting the hive from memory images

    A practical guide to recovering Amcache from a Windows memory image using Volatility — when memory-side recovery is the only option, which plugins to use, and how to hand off to AmcacheParser.

Back to all posts