Why is my Amcache.hve empty?
Three common causes, in rough order of likelihood:
1. The Compatibility Appraiser is disabled#
The most common cause on production servers and hardened endpoints. The hive file exists. The scheduled task that writes to it is off. No new entries arrive.
Check:
# Is the task enabled?
Get-ScheduledTask `
-TaskPath '\Microsoft\Windows\Application Experience\' `
-TaskName 'Microsoft Compatibility Appraiser' |
Select State, LastRunTime, LastTaskResult
# Telemetry policy
reg query 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection' /v AllowTelemetrySigns it's disabled:
- Task
State = Disabled. LastRunTimematches the host's install date.AllowTelemetry = 0, especially on Servers.
When the appraiser is disabled, Amcache is not a useful artefact for events after the disablement. Pivot to Sysmon, EDR, the Security event log via EVTX, and the MFT.
2. The host is freshly installed#
A freshly imaged Windows host has a near-empty Amcache because the appraiser hasn't run yet.
- Workstations: first pass usually completes within ~24h of first boot, sometimes during OOBE.
- Servers: first pass may take 2-5 days.
Check the earliest KeyLastWriteTimestamp against the host's install date. If they match and the host is brand new, the hive will populate as the appraiser runs.
3. You're on a Server (especially Server Core)#
Cadences are much slower than workstations:
| Host | Appraiser cadence |
|---|---|
| Workstation (Win 10/11) | ~24 hours |
| Server with Desktop Experience | 2-5 days |
| Server Core | Weekly or longer |
| Hardened Server / DC | Even less |
A Server hive of 5-10 MB after a year is normal, not suspicious. Server Amcache is genuinely sparser because:
- Servers run a stable set of services, not many ad-hoc binaries.
- Few interactive users means few
\Users\paths to inventory. - Driver and device records are stable.
See Amcache on Windows Server for the full server reference.
Less common causes#
Backup or shadow restore#
If the host was restored from a backup or VSS snapshot recently, Amcache reflects the state at snapshot time, not the present. Compare filesystem timestamps on the hive against the host's reported uptime.
Attacker tampering#
Rare. If you suspect deliberate cleanup:
vssadmin list shadowsto enumerate Volume Shadow Copies.- Parse each shadow's
Amcache.hve. - Diff against the live hive.
Entries in shadows but absent from live mean deliberate cleanup. See Can Amcache be cleared by attackers? for the full workflow.
Hive corruption#
Very rare. A partially corrupted hive parses with truncated output. AmcacheParser emits warnings about cell inconsistencies. Read the parse log.
Diagnosis flow#
- Check the scheduled task
StateandLastRunTime. - Disabled? Root cause = appraiser disabled. Pivot.
- Enabled but
LastRunTimeis stale? CheckMicrosoft-Windows-TaskScheduler/Operationalevent log for failure history. - Task running normally? Check host install date.
- Recently installed? Wait and recollect.
- Established host, hive still small? Check
AllowTelemetryand the Server vs Workstation cadence. - Nothing else fits? Enumerate VSS and diff for tampering.
Related#
Related posts
- Where is the Amcache registry key?
Amcache is its own hive file, not a key under HKLM. Loaded on demand by the appraiser. Mounts at HKLM\Amcache when active.
- What does Amcache.hve contain?
Inventory records for every PE, driver, application, and connected device the Compatibility Appraiser has seen. SHA-1, full path, publisher, and timestamps per entry.
- What's a .pf file vs an Amcache entry?
.pf is execution proof with run times. Amcache is presence with hash and metadata. Same binary in both, only one, or neither, and which combination it is matters.
- Is Amcache.hve a log file?
No. It's a registry hive in the same binary format as SYSTEM and NTUSER.DAT. A tree of typed keys, not a flat append-only stream.