Back to binalyze.com

Amcache

Overview

Evidence: Amcache Description: Collect Amcache and Parse Category: Process Execution Platform: Windows Short Name: amc Is Parsed: Yes - Registry hive is parsed into structured tables Sent to Investigation Hub: Yes Collect File(s): No

Background

Amcache.hve is a registry hive maintained by Windows Application Compatibility infrastructure. It tracks information about executed programs, installed applications, device drivers, and application shortcuts.

Amcache provides historical evidence of program execution and can contain information about programs that have been deleted. The format changed significantly between Windows 7/8 (old format with Root\File and Root\Programs keys) and Windows 10 (new format with Root\InventoryApplication* keys).

Data Collected

New Format (Windows 10+)

InventoryApplication

Field
Description
Example

ProgramID

Program identifier

00001234567890abcdef

ProgramName

Application name

Google Chrome

Version

Application version

118.0.5993.89

Publisher

Software publisher

Google LLC

RootDirPath

Installation directory

C:\Program Files\Google\Chrome

InstallDate

Installation date

2023-10-01T10:00:00

KeyLastWriteTime

Registry key modification time

2023-10-15T14:30:00

PackageFullName

UWP package name

InstallSourceType

Installation source

2

MSIProductCode

MSI product code GUID

{12345678-1234-1234-1234-123456789ABC}

MSIPackageCode

MSI package code GUID

{12345678-1234-1234-1234-123456789ABC}

UninstallKey

Uninstall registry key

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall...

UninstallString

Uninstall command

"C:\Program Files\App\uninstall.exe"

InventoryApplicationFile

Field
Description
Example

ProgramID

Associated program ID

00001234567890abcdef

FileID

File identifier (SHA1)

a1b2c3d4e5f6...

ProductName

Product name from file metadata

Google Chrome

ProductVersion

Product version

118.0.5993.89

Name

File name

chrome.exe

FilePath

Lowercase long path

c:\program files\google\chrome\application\chrome.exe

OriginalFileName

Original file name from PE header

chrome.exe

SHA1

SHA1 hash

a1b2c3d4e5f6...

Publisher

Publisher name

Google LLC

FileSize

File size in bytes

3145728

USN

Update Sequence Number

123456789

IsOsComponent

Whether file is OS component

FALSE

KeyLastWriteTime

Registry key modification time

2023-10-15T14:30:00

InventoryApplicationShortcut

Field
Description
Example

KeyName

Registry key name

chrome.lnk

LNKPath

Path to shortcut file

C:\Users\user\Desktop\Chrome.lnk

KeyLastWriteTime

Registry key modification time

2023-10-15T14:30:00

InventoryDevicePnp

Field
Description
Example

KeyName

Device identifier

USB\VID_1234&PID_5678

Class

Device class

USB

Description

Device description

USB Mass Storage Device

DriverName

Driver name

usbstor.inf

DriverPackageStrongName

Driver package identifier

oem12.inf:...

Model

Device model

SanDisk Ultra

FirstInstallDate

First installation date

2023-09-01T12:00:00

InstallDate

Last installation date

2023-10-01T14:00:00

KeyLastWriteTime

Registry key modification time

2023-10-15T14:30:00

Manufacturer

Device manufacturer

SanDisk

Provider

Driver provider

Microsoft

Service

Associated service

USBSTOR

DriverVerDate

Driver version date

2023-06-15T00:00:00

DriverVerVersion

Driver version

10.0.19041.1234

HWID

Hardware ID

USB\VID_1234&PID_5678&REV_0100

Inf

INF file name

usbstor.inf

ParentID

Parent device ID

USB\ROOT_HUB30

DriverID

Driver identifier

usbstor.inf:...

ContainerID

Container ID GUID

{12345678-1234-1234-1234-123456789ABC}

ClassGuid

Class GUID

{36FC9E60-C465-11CF-8056-444553540000}

COMPID

Compatible IDs

USB\Class_08

BusReportedDescription

Bus-reported description

USB Mass Storage Device

InventoryDriverBinary

Field
Description
Example

KeyName

Driver key name

ntfs.sys

Product

Product name

Microsoft Windows

ProductVersion

Product version

10.0.19041.1234

DriverName

Driver file name

ntfs.sys

DriverVersion

Driver version

10.0.19041.1234

DriverPackageStrongName

Driver package identifier

oem0.inf:...

DriverCompany

Driver company

Microsoft Corporation

DriverLastWriteTime

Driver last write time

2023-06-01T00:00:00

DriverTimeStamp

Driver timestamp

2023-06-01T00:00:00

KeyLastWriteTime

Registry key modification time

2023-10-15T14:30:00

DriverIsKernelMode

Whether driver is kernel-mode

TRUE

DriverSigned

Whether driver is signed

TRUE

Service

Associated service

NTFS

Inf

INF file name

ntfs.inf

DriverId

Driver identifier

ntfs.sys:...

DriverCheckSum

Driver checksum

0x12345678

ImageSize

Driver image size

524288

Old Format (Windows 7/8)

File Entries

Field
Description
Example

VolumeID

Volume GUID

{12345678-1234-1234-1234-123456789ABC}

FileID

File entry identifier

00001234abcd

ProgramID

Associated program ID

00005678efgh

ProductName

Product name

Google Chrome

CompanyName

Company name

Google LLC

FilePath

File path

C:\Program Files\Google\Chrome\Application\chrome.exe

FileDescription

File description

Google Chrome

FileVersion

File version

118.0.5993.89

FileSize

File size in bytes

3145728

SHA1

SHA1 hash

a1b2c3d4e5f6...

CompilationTime

PE compilation timestamp

2023-09-15T10:00:00

FileModificationTime

File modification time

2023-09-20T14:00:00

FileCreationTime

File creation time

2023-10-01T12:00:00

EntryCreationTime

Amcache entry creation

2023-10-01T12:05:00

KeyLastWriteTime

Registry key modification time

2023-10-15T14:30:00

MFTEntryNumber

MFT entry number

12345

MFTSequenceNumber

MFT sequence number

1

Program Entries

Field
Description
Example

ProgramID

Program identifier

00005678efgh

VolumeIDFileID

Space-separated list of file IDs

00001234abcd 00005678ijkl

ProgramName

Program name

Google Chrome

ProgramVersion

Program version

118.0.5993.89

FilePaths

Space-separated file paths

C:\Program Files\Google\Chrome...

Publisher

Publisher name

Google LLC

InstallDate

Installation date

2023-10-01T10:00:00

KeyLastWriteTime

Registry key modification time

2023-10-15T14:30:00

InstallSourceType

Installation source type

2

UninstallKeys

Uninstall registry keys

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall...

ProductCode

Product code GUID

{12345678-1234-1234-1234-123456789ABC}

PackageCode

Package code GUID

{12345678-1234-1234-1234-123456789ABC}

MSIProductCodes

MSI product codes

{12345678-1234-1234-1234-123456789ABC}

MSIPackageCodes

MSI package codes

{12345678-1234-1234-1234-123456789ABC}

Collection Method

This collector:

  • Collects Windows\appcompat\Programs\Amcache.hve and transaction logs

  • Parses the offline registry hive using OfflineRegistry library

  • Detects format version (old vs new)

  • Extracts data from appropriate registry keys based on version

New Format Keys:

  • Root\InventoryApplication

  • Root\InventoryApplicationFile

  • Root\InventoryApplicationShortcut

  • Root\InventoryDevicePnp

  • Root\InventoryDriverBinary

Old Format Keys:

  • Root\File

  • Root\Programs

Usage

Amcache is invaluable for program execution analysis and historical application tracking. Investigators use this data to prove program execution (even deleted programs), establish installation timelines, identify malware execution, track application versions and updates, correlate file hashes with known malware, detect portable executable usage, and reconstruct user application usage patterns.

Known Limitations

  • Format differs between Windows versions

  • Only tracks executables that have been run

  • May not capture all executed programs

  • Database can be cleared or corrupted

  • Historical data may be limited

Notes

Amcache is particularly valuable because it often retains information about deleted programs. The SHA1 hashes can be used for malware identification and threat intelligence correlation.

PreviousActive Script Event ConsumersNextAntivirus Information

Last updated

Was this helpful?