What does Amcache.hve contain?
Amcache.hve contains structured inventory records for every PE binary, driver, installed application, and connected device the Compatibility Appraiser has seen on the host. Each record carries rich metadata: the file's SHA-1 (of the first 31 MiB), its full path, publisher, version, and a registry-level last-write timestamp.
It is one of four Windows DFIR foundations. The other three are Prefetch, Shimcache, and the Security event log via EVTX. Amcache is the only one that consistently survives binary deletion with the hash intact.
Top-level categories#
On a modern Windows 10/11 hive, Root contains:
| Key | Records |
|---|---|
InventoryApplicationFile |
One sub-key per PE binary inventoried. |
InventoryApplication |
One sub-key per installed application. |
InventoryDriverBinary |
One sub-key per driver binary. |
InventoryDeviceContainer |
Friendly-name device records. |
InventoryDevicePnp |
PnP enumeration, one per interface. |
InventoryApplicationShortcut |
Start menu / pinned shortcuts (paired with LNK analysis). |
Programs (legacy) |
Older installed-applications list. |
File (legacy) |
Older per-file catalogue. |
For the full key-by-key tour, see Amcache registry structure.
Per-file values#
For each entry in InventoryApplicationFile, the values you actually use:
Name,LowerCaseLongPath: filename and full path.FileId:"0000"+ SHA-1 hex of the first 31 MiB.Size: file size in bytes.IsPeFile,IsOsComponent: boolean flags.Publisher,Version,BinFileVersion,ProductName,ProductVersion,FileVersionString: PE metadata.LinkDate: PETimeDateStamp.Language: PE resource language ID.ProgramId: 44-character application identity.Usn: USN journal entry tied to this inventory.
Plus the registry-level KeyLastWriteTimestamp, the key's own last-write metadata, which is the closest thing Amcache gives you to "when did the appraiser record this?".
What Amcache does not contain#
- Process execution. That's Prefetch, Shimcache, Sysmon
1, Security4688. - Network activity. That's SRUM, EDR, firewall logs.
- Script execution. PowerShell operational log, AMSI, Sysmon.
- Authentication. Security event log (
4624,4625,4648). - Filesystem metadata like creation time. That's the MFT.
Amcache complements those artefacts. It does not replace them.
How to read it#
- AmcacheParser (Zimmerman): CSV per category.
- RegRipper amcache plugin: text report.
- Browser parser on this site: drop the hive on the home page.
For the long-form reference, see the Amcache complete reference.
Related posts
- Why is my Amcache.hve empty?
Three causes in order of frequency: appraiser disabled, host freshly imaged, or you're on a Server where the cadence is naturally slow. Tampering is a distant fourth.
- Where is the Amcache registry key?
Amcache is its own hive file, not a key under HKLM. Loaded on demand by the appraiser. Mounts at HKLM\Amcache when active.
- What's a .pf file vs an Amcache entry?
.pf is execution proof with run times. Amcache is presence with hash and metadata. Same binary in both, only one, or neither, and which combination it is matters.
- Is Amcache.hve a log file?
No. It's a registry hive in the same binary format as SYSTEM and NTUSER.DAT. A tree of typed keys, not a flat append-only stream.