Understanding Amcache for Windows forensics

Amcache.hve is the Windows registry hive the Compatibility Appraiser writes inventory metadata into for every PE binary it sees on the host. SHA-1 of the first 31 MiB, full path, publisher, link date, and a key write time per entry. One of the richest single Windows DFIR artefacts.

It is the hive you reach for when you need to know "was this binary ever on this host, and what was it?" without having the binary itself.

What this tool does#

This parser compiles a Rust registry-hive reader (nt-hive) to WebAssembly. Your Amcache.hve is read into memory and parsed in your browser. It is never uploaded.

That matters when the hive came from a regulated environment that does not allow file uploads to third-party services, or when you just want a fast look without standing up the full DFIR toolchain.

Categories parsed#

  • InventoryApplicationFile: per-file metadata (SHA-1 FileId, paths, version).
  • InventoryApplication: installed applications.
  • InventoryDriverBinary: loaded driver binaries.
  • InventoryDeviceContainer: connected devices.
  • The remaining Inventory* keys, plus the legacy File and Programs keys for older Windows builds.

Drop a hive on the home page to see every value, filter, and export to JSON or CSV.

For the long-form reference, see the Amcache complete reference. For comparisons with neighbouring artefacts, see Amcache vs Prefetch, Amcache vs Shimcache, and Amcache vs SRUM.

Further reading#

Related posts

Back to all posts