Amcache.hve
Last updated
Last updated
The Amcache hive stores metadata regarding executables/installed programs present on an endpoint. Typically, only those that have been executed (or executables associated with installed software) will appear in this registry hive. This artifact has seen numerous revisions, and it is therefore important to first gather information regarding the specific version of Windows that you are analyzing before proceeding with Amcache analysis.
Windows 11
✅
Server 2019
✅
Windows 10
✅
Server 2016
✅
Windows 8
✅
Server 2012
✅
Windows 7
⚠️
Server 2008
⚠️
Windows Vista
❌
Server 2003
❌
Windows XP
❌
Windows 7 requires update KB2952664 for the Amcache hive to be present. Amcache is available on Windows Server starting from Windows Server 2008 R2.
%SystemRoot%\AppCompat\Programs\Amcache.hve
Additional LOG files:
%SystemRoot%\AppCompat\Programs\Amcache.hve.*LOG1
%SystemRoot%\AppCompat\Programs\Amcache.hve.*LOG2
amcacheparser.exe (Eric Zimmerman)
RegistryExplorer (Eric Zimmerman)
Within the Amcache hive there are multiple registry keys, each containing different information. The most common keys to analyze are:
InventoryApplication
InventoryApplicationFile
InventoryDriverBinary
InventoryApplicationShortcut
The InventoryApplication key stores information about installed software on the system. This key contains a value named LastScanTime that corresponds to the last time the Microsoft Compatibility Appraiser has run. This is a scheduled task that executes the compattelrunner.exe binary. The information contained in this key should only be updated when this task is executed. Software installed since this task has last run may not appear in this key! This value is in Windows FileTime format.
This key contains subkeys for each installed software, the key names being the software's ProgramId. It contains the following values of interest:
ProgramId
The installed software's ProgramId
Name
Name of the installed software
Version
Version of the installed software
Publisher
The installed software's publisher
Source
AddRemoveProgram or Msi or File or AppXPackage
InstallDate
The date the software was installed. This seems to only populate for AddRemoveProgram/Msi software installations
RootDirPath
The path to the root directory of the software
RegistryKeyPath
The path to the Uninstall registry key in the SOFTWARE hive
The Source value can give information regarding how software was installed on the system:
AddRemoveProgram: Software installed via an executable
Msi: Software installed via a .msi file using the Windows Installer service
AppXPackage: Software installed via the Windows Store of the Get-AppxPackage PowerShell command
This registry key contains information about the executables tied to installed software, as well as executables that have run on the system. A single software installation may drop multiple executables to a system, and they should all be tracked here. Like the InventoryApplication key, this key also only updates when the Microsoft Compatibility Appraiser task has run.
The subkeys will contain the executable name, and a hash separated by a | character. The most interesting values to analyze within this key are:
ProgramId
The ProgramId that this executable is tied to, which can be found in InventoryApplication. If the executable was not installed as part of a software installation, this ProgramId will not be found in InventoryApplication
FileId
Stripping the four leading 0s, the SHA-1 hash of the executable
LowerCaseLongPath
The path to the executable
Name
The filename of the executable
BinaryType
32/64bit indicator
Size
The size, in bytes, of the executable
There is a limit to the size of the data that gets hashed to produce this artifact's SHA-1 hash in the FileId value. If the size of the binary exceeds approximately 30MB in size, only the first 30MB will be hashed. The result is that the SHA-1 hash will not be valid for that binary.
Installing a new software, CrystalDiskMark on a system and manually running compattelrunner.exe updated the Amcache Hive with the following key (named 00001d78ebb0f68947e39952c24983d564390000ffff) under InventoryApplication:
This example was produced on Windows 10, Version 10.0.19044 Build 19044
The software was installed via an executable, leading the Source value to be AddRemoveProgram. Note the ProgramId value of 00001d78ebb0f68947e39952c24983d564390000ffff.
Additionally, several keys were created under InventoryApplicationFile, one example (diskmark32.exe|51ddc7c2637fbb8d):
This example was produced on Windows 10, Version 10.0.19044 Build 19044
From this example, we can see that the ProgramId between the two Amcache keys correspond to each other.