Why is my Amcache.hve empty?

Three common causes, in rough order of likelihood:

1. The Compatibility Appraiser is disabled#

The most common cause on production servers and hardened endpoints. The hive file exists. The scheduled task that writes to it is off. No new entries arrive.

Check:

# Is the task enabled?
Get-ScheduledTask `
  -TaskPath '\Microsoft\Windows\Application Experience\' `
  -TaskName 'Microsoft Compatibility Appraiser' |
  Select State, LastRunTime, LastTaskResult
 
# Telemetry policy
reg query 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection' /v AllowTelemetry

Signs it's disabled:

  • Task State = Disabled.
  • LastRunTime matches the host's install date.
  • AllowTelemetry = 0, especially on Servers.

When the appraiser is disabled, Amcache is not a useful artefact for events after the disablement. Pivot to Sysmon, EDR, the Security event log via EVTX, and the MFT.

2. The host is freshly installed#

A freshly imaged Windows host has a near-empty Amcache because the appraiser hasn't run yet.

  • Workstations: first pass usually completes within ~24h of first boot, sometimes during OOBE.
  • Servers: first pass may take 2-5 days.

Check the earliest KeyLastWriteTimestamp against the host's install date. If they match and the host is brand new, the hive will populate as the appraiser runs.

3. You're on a Server (especially Server Core)#

Cadences are much slower than workstations:

Host Appraiser cadence
Workstation (Win 10/11) ~24 hours
Server with Desktop Experience 2-5 days
Server Core Weekly or longer
Hardened Server / DC Even less

A Server hive of 5-10 MB after a year is normal, not suspicious. Server Amcache is genuinely sparser because:

  • Servers run a stable set of services, not many ad-hoc binaries.
  • Few interactive users means few \Users\ paths to inventory.
  • Driver and device records are stable.

See Amcache on Windows Server for the full server reference.

Less common causes#

Backup or shadow restore#

If the host was restored from a backup or VSS snapshot recently, Amcache reflects the state at snapshot time, not the present. Compare filesystem timestamps on the hive against the host's reported uptime.

Attacker tampering#

Rare. If you suspect deliberate cleanup:

  1. vssadmin list shadows to enumerate Volume Shadow Copies.
  2. Parse each shadow's Amcache.hve.
  3. Diff against the live hive.

Entries in shadows but absent from live mean deliberate cleanup. See Can Amcache be cleared by attackers? for the full workflow.

Hive corruption#

Very rare. A partially corrupted hive parses with truncated output. AmcacheParser emits warnings about cell inconsistencies. Read the parse log.

Diagnosis flow#

  1. Check the scheduled task State and LastRunTime.
  2. Disabled? Root cause = appraiser disabled. Pivot.
  3. Enabled but LastRunTime is stale? Check Microsoft-Windows-TaskScheduler/Operational event log for failure history.
  4. Task running normally? Check host install date.
  5. Recently installed? Wait and recollect.
  6. Established host, hive still small? Check AllowTelemetry and the Server vs Workstation cadence.
  7. Nothing else fits? Enumerate VSS and diff for tampering.

Related posts

  • Where is the Amcache registry key?

    Amcache is its own hive file, not a key under HKLM. Loaded on demand by the appraiser. Mounts at HKLM\Amcache when active.

  • What does Amcache.hve contain?

    Inventory records for every PE, driver, application, and connected device the Compatibility Appraiser has seen. SHA-1, full path, publisher, and timestamps per entry.

  • What's a .pf file vs an Amcache entry?

    .pf is execution proof with run times. Amcache is presence with hash and metadata. Same binary in both, only one, or neither, and which combination it is matters.

  • Is Amcache.hve a log file?

    No. It's a registry hive in the same binary format as SYSTEM and NTUSER.DAT. A tree of typed keys, not a flat append-only stream.

Back to all posts