How do I check if the Compatibility Appraiser is enabled?

Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'Microsoft Compatibility Appraiser' from elevated PowerShell. Check both the State (should be Ready or Running) and LastRunTime (should be within the expected cadence).

How do I check if telemetry is disabled by policy?

reg query 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection' /v AllowTelemetry. A value of 0 disables CEIP-derived components including the Compatibility Appraiser in many builds.

Why is Amcache empty on a fresh image?

Freshly imaged Windows hosts have a near-empty Amcache because the appraiser hasn't run yet. Wait 24 hours of normal use on a workstation, or several days on a server, and the hive will populate.

Why is my Server's Amcache so small?

Servers run the appraiser less frequently than workstations (typical: every 2-5 days for Server with Desktop Experience; weekly or longer for Server Core). Less interactive activity also means fewer inventory entries. A Server hive of 5-10 MB after a year is normal.

Could an attacker have emptied Amcache?

Possibly — but uncommon. Most attackers don't bother. If you suspect tampering, parse all Volume Shadow Copies' versions of the hive and diff against the live hive. Entries present in shadows but absent from live are evidence of deliberate cleanup.

Why is my Amcache.hve empty or sparse?

Three common causes. (1) The Compatibility Appraiser scheduled task is disabled — by Group Policy (AllowTelemetry=0), by build configuration, or by manual disablement. The hive exists but the appraiser stops writing to it. (2) The host is freshly installed or imaged within the last 24 hours and the appraiser hasn't run yet. (3) You're collecting from a Server (especially Server Core) where the appraiser runs every several days or weeks rather than daily. Check the scheduled task's LastRunTime, the AllowTelemetry registry value, and the hive's KeyLastWriteTimestamp distribution to diagnose which case you're in.

Why is my Amcache.hve empty?

Three common causes, in rough order of likelihood:

1. The Compatibility Appraiser is disabled#

This is the most common cause on production servers and hardened endpoints. The hive file exists, but the scheduled task that writes to it is disabled, so no new entries are being added.

How to check:

# Is the task enabled?
Get-ScheduledTask `
  -TaskPath '\Microsoft\Windows\Application Experience\' `
  -TaskName 'Microsoft Compatibility Appraiser' |
  Select-Object State, LastRunTime, LastTaskResult
 
# Is telemetry disabled by GPO?
reg query 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection' /v AllowTelemetry

Signs the appraiser is disabled:

Task State = Disabled.
LastRunTime matches the host's install date or a long-ago date.
AllowTelemetry = 0 (especially on Servers).

If the appraiser is intentionally disabled, Amcache is not a useful artefact for events after the disablement. Pivot to Sysmon, EDR, Security event log, MFT.

2. The host is freshly installed#

A freshly-imaged Windows host has a near-empty Amcache because the appraiser hasn't run yet.

Workstations: the first appraiser pass typically completes within 24 hours of first boot, sometimes during the initial out-of-box experience.

Servers: first appraiser pass may take 2-5 days.

Check the hive's smallest KeyLastWriteTimestamp against the host's install date. If they match and the host is brand new, the hive will populate as the appraiser runs.

3. You're collecting from a Server (especially Server Core)#

Server cadences are much slower than workstations:

Host type	Appraiser cadence
Workstation (Windows 10/11)	~24 hours
Server with Desktop Experience	2-5 days
Server Core	Weekly or longer
Hardened Server / DC	Even less

A Server hive of 5-10 MB after a year of operation is normal, not suspicious. Server Amcache is genuinely sparser because:

Servers run a stable set of services, not many ad-hoc binaries.
Few interactive users mean few \Users\ paths to inventory.
Driver and device records are stable.

See Amcache on Windows Server for the full server reference.

Less common causes#

Volume Shadow Copy or backup retention#

If the host has been restored from a backup or VSS snapshot recently, Amcache reflects the state at the time of the snapshot, not the present. Check filesystem timestamps on the hive file itself against the host's reported uptime.

Attacker tampering#

Rare. If you suspect deliberate cleanup:

Enumerate Volume Shadow Copies — vssadmin list shadows.
Parse each shadow's Amcache.hve.
Diff against the live hive.

Entries in shadows but absent from live = evidence of deliberate cleanup. See Can Amcache be cleared by attackers?.

Hive corruption#

Very rare. A partially-corrupted hive can parse with truncated output. AmcacheParser typically emits warnings about cell inconsistencies if this is happening. Check the parse log for warnings.

Diagnosis flowchart#

Check the scheduled task State and LastRunTime.
If disabled → root cause = appraiser disabled. Pivot to other artefacts.
If enabled but LastRunTime is stale → check task history in Event Viewer (Microsoft-Windows-TaskScheduler/Operational) for failures.
If task is running normally → check host install date.
If host is recently installed → wait and recollect.
If host is established and hive is still small → check AllowTelemetry and Server vs Workstation cadence.
If none apply and the hive should have rich data → enumerate VSS, diff for tampering.