What categories of records does Amcache hold?

PE files (InventoryApplicationFile), installed applications (InventoryApplication), driver binaries (InventoryDriverBinary), connected devices (InventoryDeviceContainer and InventoryDevicePnp), Start-menu shortcuts (InventoryApplicationShortcut), and legacy Programs / File entries from older schema versions.

What fields does each file entry have?

Name, full path, FileId (SHA-1), size, IsPeFile flag, IsOsComponent flag, Publisher, Version, BinFileVersion, ProductName, LinkDate, Language, ProgramId, and a KeyLastWriteTimestamp from registry metadata.

Does Amcache record DLLs?

Yes on Windows 10 build 1709 and later. The InventoryApplicationFile key records both EXEs and DLLs that are classified as PE files.

Does Amcache record scripts (.ps1, .bat, .vbs)?

Generally no. Amcache focuses on PE binaries. Script execution evidence comes from PowerShell operational logs, AMSI, or Sysmon.

How many entries does a typical Amcache contain?

Hundreds to thousands on a typical Windows 10/11 workstation. Developer workstations can exceed 10,000 entries; production servers typically have a few hundred.

What does Amcache.hve contain?

Amcache.hve contains structured inventory records for every PE binary, driver, installed application, and connected device the Windows Compatibility Appraiser has seen on the host. Per record, it stores rich metadata — most importantly the file's SHA-1 hash (of the first 31 MiB), its full path, its publisher and version, and a registry-level last-write timestamp.

The top-level categories#

On a modern Windows 10/11 hive, Root contains:

Key	What it records
`InventoryApplicationFile`	One sub-key per PE binary inventoried.
`InventoryApplication`	One sub-key per installed application.
`InventoryDriverBinary`	One sub-key per driver binary.
`InventoryDeviceContainer`	Friendly-name device records.
`InventoryDevicePnp`	PnP enumeration per interface.
`InventoryApplicationShortcut`	Start menu / pinned shortcuts.
`Programs` (legacy)	Older installed-applications list.
`File` (legacy)	Older per-file catalogue.

For the full key-by-key tour, see Amcache registry structure.

Per-file values#

For each entry in InventoryApplicationFile (the headline key), notable values include:

Name, LowerCaseLongPath — filename and full path.
FileId — "0000" + SHA-1 hex of the first 31 MiB.
Size — file size in bytes.
IsPeFile, IsOsComponent — boolean flags.
Publisher, Version, BinFileVersion, ProductName, ProductVersion, FileVersionString — PE metadata.
LinkDate — PE TimeDateStamp.
Language — PE resource language ID.
ProgramId — application-identity hash (44 chars).
Usn — USN journal entry tied to this inventory.

Plus the registry-level KeyLastWriteTimestamp (the key's own last-write metadata), which is the closest thing Amcache exposes to "when did the appraiser record this?".

What Amcache does not contain#

Process execution history. That is Prefetch, ShimCache, and Sysmon / Security 4688.
Network activity. That is SRUM, EDR, and firewall logs.
Script execution evidence. PowerShell op log, AMSI, Sysmon.
User-authentication history. Security event log (4624 / 4625 / 4648).
File system metadata like creation time. That is the MFT.

Amcache complements those artefacts; it does not replace them.

Reading the hive#

AmcacheParser (Zimmerman) — produces CSV per category.
RegRipper amcache plugin — text report.
This site's browser-based parser — drop a hive on the home page, no install.

For the full reference, see the Amcache complete reference.

What does Amcache.hve contain?

The top-level categories#

Per-file values#

What Amcache does not contain#

Reading the hive#

Related posts