Amcache.hve
The Amcache hive stores metadata regarding executables/installed programs present on an endpoint. Typically, only those that have been executed (or executables associated with installed software) will appear in this registry hive. This artifact has seen numerous revisions, and it is therefore important to first gather information regarding the specific version of Windows that you are analyzing before proceeding with Amcache analysis.
Analysis Value
pageEvidence of ExecutionpageFile HashpageFile PathOperating System Availability
| Major Version | Support | Major Version | Support |
|---|---|---|---|
Windows 11 | ✅ | Server 2019 | ✅ |
Windows 10 | ✅ | Server 2016 | ✅ |
Windows 8 | ✅ | Server 2012 | ✅ |
Windows 7 | ⚠️ | Server 2008 | ⚠️ |
Windows Vista | ❌ | Server 2003 | ❌ |
Windows XP | ❌ |
Windows 7 requires update KB2952664 for the Amcache hive to be present. Amcache is available on Windows Server starting from Windows Server 2008 R2.
Artifact Location(s)
%SystemRoot%\AppCompat\Programs\Amcache.hve
Additional LOG files:
%SystemRoot%\AppCompat\Programs\Amcache.hve.*LOG1%SystemRoot%\AppCompat\Programs\Amcache.hve.*LOG2
Artifact Parsers
amcacheparser.exe (Eric Zimmerman)
RegistryExplorer (Eric Zimmerman)
Artifact Interpretation
Within the Amcache hive there are multiple registry keys, each containing different information. The most common keys to analyze are:
InventoryApplication
InventoryApplicationFile
InventoryDriverBinary
InventoryApplicationShortcut
InventoryApplication (Windows 10 Build 10.0.14393 +)
The InventoryApplication key stores information about installed software on the system. This key contains a value named LastScanTime that corresponds to the last time the Microsoft Compatibility Appraiser has run. This is a scheduled task that executes the compattelrunner.exe binary. The information contained in this key should only be updated when this task is executed. Software installed since this task has last run may not appear in this key! This value is in Windows FileTime format.
This key contains subkeys for each installed software, the key names being the software's ProgramId. It contains the following values of interest:
| Value | Description |
|---|---|
ProgramId | The installed software's ProgramId |
Name | Name of the installed software |
Version | Version of the installed software |
Publisher | The installed software's publisher |
Source |
|
InstallDate | The date the software was installed. This seems to only populate for AddRemoveProgram/Msi software installations |
RootDirPath | The path to the root directory of the software |
RegistryKeyPath | The path to the |
The Source value can give information regarding how software was installed on the system:
AddRemoveProgram: Software installed via an executable
Msi: Software installed via a .msi file using the Windows Installer service
AppXPackage: Software installed via the Windows Store of the
Get-AppxPackagePowerShell command
InventoryApplicationFile (Windows 10 Build 10.0.14393 +)
This registry key contains information about the executables tied to installed software, as well as executables that have run on the system. A single software installation may drop multiple executables to a system, and they should all be tracked here. Like the InventoryApplication key, this key also only updates when the Microsoft Compatibility Appraiser task has run.
The subkeys will contain the executable name, and a hash separated by a | character. The most interesting values to analyze within this key are:
| Value | Description |
|---|---|
ProgramId | The ProgramId that this executable is tied to, which can be found in |
FileId | Stripping the four leading 0s, the SHA-1 hash of the executable |
LowerCaseLongPath | The path to the executable |
Name | The filename of the executable |
BinaryType | 32/64bit indicator |
Size | The size, in bytes, of the executable |
There is a limit to the size of the data that gets hashed to produce this artifact's SHA-1 hash in the FileId value. If the size of the binary exceeds approximately 30MB in size, only the first 30MB will be hashed. The result is that the SHA-1 hash will not be valid for that binary.
Example
Installing a new software, CrystalDiskMark on a system and manually running compattelrunner.exe updated the Amcache Hive with the following key (named 00001d78ebb0f68947e39952c24983d564390000ffff) under InventoryApplication:
This example was produced on Windows 10, Version 10.0.19044 Build 19044
The software was installed via an executable, leading the Source value to be AddRemoveProgram. Note the ProgramId value of 00001d78ebb0f68947e39952c24983d564390000ffff.
Additionally, several keys were created under InventoryApplicationFile, one example (diskmark32.exe|51ddc7c2637fbb8d):
This example was produced on Windows 10, Version 10.0.19044 Build 19044
From this example, we can see that the ProgramId between the two Amcache keys correspond to each other.
Last updated