Understanding Amcache for Windows forensics
Amcache.hve is the Windows registry hive the Compatibility Appraiser writes inventory metadata into for every PE binary it sees on the host. SHA-1 of the first 31 MiB, full path, publisher, link date, and a key write time per entry. One of the richest single Windows DFIR artefacts.
It is the hive you reach for when you need to know "was this binary ever on this host, and what was it?" without having the binary itself.
What this tool does#
This parser compiles a Rust registry-hive reader (nt-hive) to WebAssembly. Your Amcache.hve is read into memory and parsed in your browser. It is never uploaded.
That matters when the hive came from a regulated environment that does not allow file uploads to third-party services, or when you just want a fast look without standing up the full DFIR toolchain.
Categories parsed#
InventoryApplicationFile: per-file metadata (SHA-1FileId, paths, version).InventoryApplication: installed applications.InventoryDriverBinary: loaded driver binaries.InventoryDeviceContainer: connected devices.- The remaining
Inventory*keys, plus the legacyFileandProgramskeys for older Windows builds.
Drop a hive on the home page to see every value, filter, and export to JSON or CSV.
For the long-form reference, see the Amcache complete reference. For comparisons with neighbouring artefacts, see Amcache vs Prefetch, Amcache vs Shimcache, and Amcache vs SRUM.
Further reading#
- Yogesh Khatri, Amcache.hve in Windows 8 is a goldmine for malware hunters. The canonical reverse engineering.
- Eric Zimmerman's AmcacheParser. The de facto industry-standard offline tool.
Related posts
- Why is my Amcache.hve empty?
Three causes in order of frequency: appraiser disabled, host freshly imaged, or you're on a Server where the cadence is naturally slow. Tampering is a distant fourth.
- Where is the Amcache registry key?
Amcache is its own hive file, not a key under HKLM. Loaded on demand by the appraiser. Mounts at HKLM\Amcache when active.
- What does Amcache.hve contain?
Inventory records for every PE, driver, application, and connected device the Compatibility Appraiser has seen. SHA-1, full path, publisher, and timestamps per entry.
- Volatility and Amcache: extracting the hive from memory images
When you only have a RAM dump, Volatility extracts the in-memory copy of Amcache.hve. Hand off to AmcacheParser. The cases where this is the only option.