What does Amcache.hve contain?

Amcache.hve contains structured inventory records for every PE binary, driver, installed application, and connected device the Compatibility Appraiser has seen on the host. Each record carries rich metadata: the file's SHA-1 (of the first 31 MiB), its full path, publisher, version, and a registry-level last-write timestamp.

It is one of four Windows DFIR foundations. The other three are Prefetch, Shimcache, and the Security event log via EVTX. Amcache is the only one that consistently survives binary deletion with the hash intact.

Top-level categories#

On a modern Windows 10/11 hive, Root contains:

Key Records
InventoryApplicationFile One sub-key per PE binary inventoried.
InventoryApplication One sub-key per installed application.
InventoryDriverBinary One sub-key per driver binary.
InventoryDeviceContainer Friendly-name device records.
InventoryDevicePnp PnP enumeration, one per interface.
InventoryApplicationShortcut Start menu / pinned shortcuts (paired with LNK analysis).
Programs (legacy) Older installed-applications list.
File (legacy) Older per-file catalogue.

For the full key-by-key tour, see Amcache registry structure.

Per-file values#

For each entry in InventoryApplicationFile, the values you actually use:

  • Name, LowerCaseLongPath: filename and full path.
  • FileId: "0000" + SHA-1 hex of the first 31 MiB.
  • Size: file size in bytes.
  • IsPeFile, IsOsComponent: boolean flags.
  • Publisher, Version, BinFileVersion, ProductName, ProductVersion, FileVersionString: PE metadata.
  • LinkDate: PE TimeDateStamp.
  • Language: PE resource language ID.
  • ProgramId: 44-character application identity.
  • Usn: USN journal entry tied to this inventory.

Plus the registry-level KeyLastWriteTimestamp, the key's own last-write metadata, which is the closest thing Amcache gives you to "when did the appraiser record this?".

What Amcache does not contain#

  • Process execution. That's Prefetch, Shimcache, Sysmon 1, Security 4688.
  • Network activity. That's SRUM, EDR, firewall logs.
  • Script execution. PowerShell operational log, AMSI, Sysmon.
  • Authentication. Security event log (4624, 4625, 4648).
  • Filesystem metadata like creation time. That's the MFT.

Amcache complements those artefacts. It does not replace them.

How to read it#

  • AmcacheParser (Zimmerman): CSV per category.
  • RegRipper amcache plugin: text report.
  • Browser parser on this site: drop the hive on the home page.

For the long-form reference, see the Amcache complete reference.

Related posts

  • Why is my Amcache.hve empty?

    Three causes in order of frequency: appraiser disabled, host freshly imaged, or you're on a Server where the cadence is naturally slow. Tampering is a distant fourth.

  • Where is the Amcache registry key?

    Amcache is its own hive file, not a key under HKLM. Loaded on demand by the appraiser. Mounts at HKLM\Amcache when active.

  • What's a .pf file vs an Amcache entry?

    .pf is execution proof with run times. Amcache is presence with hash and metadata. Same binary in both, only one, or neither, and which combination it is matters.

  • Is Amcache.hve a log file?

    No. It's a registry hive in the same binary format as SYSTEM and NTUSER.DAT. A tree of typed keys, not a flat append-only stream.

Back to all posts