Where is the Amcache registry key?
Amcache is its own standalone hive file, not a key under HKLM. The file lives at:
C:\Windows\AppCompat\Programs\Amcache.hve
C:\Windows\AppCompat\Programs\Amcache.hve.LOG1
C:\Windows\AppCompat\Programs\Amcache.hve.LOG2
When the Compatibility Appraiser loads it (or when you load it yourself with reg load), the contents mount under HKLM\Amcache with:
Root\
├── InventoryApplicationFile <- the headline key
├── InventoryApplication
├── InventoryDriverBinary
├── InventoryDeviceContainer
├── InventoryDevicePnp
├── InventoryApplicationShortcut
├── Programs (legacy)
└── File (legacy)
For the full key-by-key tour, see Amcache registry structure.
Why it isn't in HKLM by default#
Amcache is a lazy-mounted hive. Windows loads it when the appraiser needs it and unloads it afterwards. Same pattern as per-user NTUSER.DAT hives: only mounted when the user is logged on.
You can see whether Amcache is currently loaded with:
Get-ChildItem HKLM:\ | Where-Object Name -like '*Amcache*'Mid-appraiser-run you may see HKLM\Amcache listed. Most of the time the hive is unloaded and the file is closed.
Manually loading the hive#
If you want to walk it in regedit or reg.exe:
# Copy the live hive (file is locked while loaded)
Copy-Item 'C:\Windows\AppCompat\Programs\Amcache.hve' 'C:\Triage\' -Force
# Load the copy
reg load HKLM\TempAmcache 'C:\Triage\Amcache.hve'
# Query
reg query HKLM\TempAmcache\Root
reg query HKLM\TempAmcache\Root\InventoryApplicationFile
# Always unload
reg unload HKLM\TempAmcacheFor real DFIR work, use AmcacheParser instead. It parses the hive directly without needing to load it under HKLM, replays the transaction logs automatically, and produces structured CSVs. reg.exe is fine for ad-hoc spelunking. It is not fine for actual analysis.
Related#
Related posts
- Why is my Amcache.hve empty?
Three causes in order of frequency: appraiser disabled, host freshly imaged, or you're on a Server where the cadence is naturally slow. Tampering is a distant fourth.
- What does Amcache.hve contain?
Inventory records for every PE, driver, application, and connected device the Compatibility Appraiser has seen. SHA-1, full path, publisher, and timestamps per entry.
- What's a .pf file vs an Amcache entry?
.pf is execution proof with run times. Amcache is presence with hash and metadata. Same binary in both, only one, or neither, and which combination it is matters.
- Is Amcache.hve a log file?
No. It's a registry hive in the same binary format as SYSTEM and NTUSER.DAT. A tree of typed keys, not a flat append-only stream.