What is the file path of Amcache?

C:\Windows\AppCompat\Programs\Amcache.hve on every supported Windows version from Windows 8 onward. The companion transaction logs are Amcache.hve.LOG1 and Amcache.hve.LOG2 in the same directory.

Can I see Amcache in regedit?

Not by default. Amcache is its own hive, not loaded under HKLM at all times. You can manually load it via regedit: File > Load Hive, point at C:\Windows\AppCompat\Programs\Amcache.hve, and choose a mount name. But on a live host the file is held open by the appraiser, so you'll need to copy it first.

What is the top-level key inside Amcache?

Root. Everything is under Root: Root\InventoryApplicationFile (the main key), Root\InventoryApplication, Root\InventoryDriverBinary, Root\InventoryDeviceContainer, Root\InventoryDevicePnp, Root\InventoryApplicationShortcut, plus the legacy Root\Programs and Root\File from older Windows.

Where did Amcache live before Windows 8?

It didn't. Windows 7 / Server 2008 R2 used RecentFileCache.bcf, a flat binary file at C:\Windows\AppCompat\Programs\RecentFileCache.bcf — not a registry hive.

How do I list the keys in Amcache without parsing the whole thing?

Use AmcacheParser with --debug to see the keys it walks, or use reg.exe after loading the hive: reg load HKLM\TempAmcache 'C:\copy of Amcache.hve' && reg query HKLM\TempAmcache\Root. Don't forget to reg unload afterwards.

Where is the Amcache registry key?

Amcache is its own standalone hive file, not a key under one of the standard HKLM hives. The file lives at:

C:\Windows\AppCompat\Programs\Amcache.hve
C:\Windows\AppCompat\Programs\Amcache.hve.LOG1
C:\Windows\AppCompat\Programs\Amcache.hve.LOG2

When the Compatibility Appraiser loads the hive (or when you manually load it with reg.exe), the contents mount under HKLM\Amcache with these notable sub-keys:

Root\
├── InventoryApplicationFile     ← the headline key
├── InventoryApplication
├── InventoryDriverBinary
├── InventoryDeviceContainer
├── InventoryDevicePnp
├── InventoryApplicationShortcut
├── Programs   (legacy)
└── File       (legacy)

For the full key-by-key tour, see Amcache registry structure.

Why it's not in HKLM by default#

Amcache is one of several "lazy-mounted" hives — Windows loads it on demand when the appraiser needs it, and unloads it afterwards. This is the same pattern as per-user NTUSER.DAT hives: they only mount when the user is logged on.

On a running system you can see whether Amcache is currently loaded with:

Get-ChildItem HKLM:\ | Where-Object Name -like '*Amcache*'

If the appraiser is mid-run, you may see HKLM\Amcache listed. Most of the time the hive is unloaded and the file is closed.

Manually loading the hive#

To inspect the hive in regedit or reg.exe:

# 1. Copy the live hive to a working directory (file is locked while loaded)
Copy-Item 'C:\Windows\AppCompat\Programs\Amcache.hve' 'C:\Triage\' -Force
 
# 2. Load the copy into a temporary mount point
reg load HKLM\TempAmcache 'C:\Triage\Amcache.hve'
 
# 3. Query
reg query HKLM\TempAmcache\Root
reg query HKLM\TempAmcache\Root\InventoryApplicationFile
 
# 4. Always unload when done
reg unload HKLM\TempAmcache

For most DFIR purposes, use AmcacheParser instead — it parses the hive directly without needing to load it, produces structured CSVs, and handles transaction logs automatically.

Where Amcache.hve is on disk — the per-version path reference + collection workflow.
Amcache registry structure — every key inside the hive.
AmcacheParser complete guide — the canonical parser.

Where is the Amcache registry key?

Why it's not in HKLM by default#

Manually loading the hive#

Related#

Related posts