When an executable runs on a modern Windows system, the operating system records not just its path but its SHA-1 hash, file size, publisher name, and PE compile timestamp in a dedicated registry hive. Amcache.hve is the artifact that answers the question Shimcache cannot: not just where a file existed, but exactly which binary it was.
What Is Amcache.hve?
Amcache.hve is a standalone Windows registry hive located at C:\Windows\AppCompat\Programs\Amcache.hve. Introduced in Windows 8 as a replacement for the earlier RecentFileCache.bcf file, Amcache serves as an application inventory database that Windows uses to track installed and executed programs for compatibility telemetry, application usage reporting, and the Program Compatibility Assistant (PCA).
Unlike Shimcache, which stores only a file path and last-modified timestamp, Amcache records rich metadata about each executable: the SHA-1 hash of the file, the full path, file size, publisher name (from the PE version information), PE compile timestamp (the TimeDateStamp from the PE header), binary type (32-bit or 64-bit), and a first execution timestamp derived from the registry key’s last-write time. This level of detail makes Amcache one of the most valuable execution artifacts in Windows forensics.
The hive is structured around two primary key paths that have changed across Windows versions. On Windows 8 through early Windows 10 builds, application file entries were stored under Root\File\{VolumeGUID}\ with volume GUID subkeys. Starting with Windows 10 Creator’s Update (1703), the primary key shifted to Root\InventoryApplicationFile\, which uses a different naming convention and field layout. Both structures are forensically valuable, and modern parsing tools handle both transparently.
Amcache is the only standard Windows artifact that records the SHA-1 hash of an executed file. This means an investigator can prove not just that a tool named mimikatz.exe was present, but that the specific build with a known hash was the one used — enabling direct correlation with threat intelligence databases, VirusTotal, and malware repositories.
Location & Format
File Path
| Property | Detail |
|---|---|
| Hive file | C:\Windows\AppCompat\Programs\Amcache.hve |
| Transaction logs | Amcache.hve.LOG1, Amcache.hve.LOG2 (same directory) |
| Format | Windows registry hive (regf format) |
| Introduced | Windows 8 (replaced RecentFileCache.bcf) |
| Update frequency | Near-real-time; entries written shortly after execution |
| Requires companion | No — self-contained hive (unlike SRUM which needs SOFTWARE) |
Key Structure by OS Version
| OS Version | Primary Key Path | Entry Naming | Notable Fields |
|---|---|---|---|
| Windows 8 / 8.1 | Root\File\{VolumeGUID}\ | MFT entry + sequence number | SHA-1, path, size, publisher, compile time, last modified |
| Windows 10 (pre-1703) | Root\File\{VolumeGUID}\ | MFT entry + sequence number | Same as Windows 8; some additional fields |
| Windows 10 (1703+) | Root\InventoryApplicationFile\ | Filename hash string | SHA-1 (lowercase), path (LowerCaseLongPath), size, publisher, version, BinFileVersion |
| Windows 11 | Root\InventoryApplicationFile\ | Filename hash string | Same as Win10 1703+; additional ProgramId correlation |
Key Fields — InventoryApplicationFile
| Value Name | Type | Description | Forensic Relevance |
|---|---|---|---|
LowerCaseLongPath | REG_SZ | Full file path in lowercase | Proves file placement at specific directory |
FileId | REG_SZ | SHA-1 hash (prefixed with 0000) | Uniquely identifies the binary; enables VT/TI lookup |
Size | REG_QWORD | File size in bytes | Corroborates file identity alongside hash |
Publisher | REG_SZ | Publisher from PE version info | Identifies developer; unsigned or unusual publishers are suspicious |
Version | REG_SZ | Product version string | Identifies specific tool version |
BinaryType | REG_SZ | PE type (pe32_amd64, pe32_i386) | Confirms architecture targeting |
LinkDate | REG_SZ | PE compile timestamp | Build date of binary; useful for malware family attribution |
ProductName | REG_SZ | Product name from version info | Original product name even if file is renamed |
| Key LastWriteTime | (metadata) | Registry key last-write timestamp | Approximates first execution time |
The FileId value in InventoryApplicationFile is the SHA-1 hash prefixed with four zero bytes (0000). When querying VirusTotal or other threat intelligence platforms, strip the leading 0000 to get the standard 40-character SHA-1 hex string. In the older Root\File\ format, the SHA-1 is stored directly without prefix.
What It Reveals
Amcache answers investigative questions that no other single artifact can address. Its combination of hash, path, publisher, and timestamp data makes it uniquely powerful for attribution and tool identification:
- What is the exact identity of the executable? — The SHA-1 hash uniquely identifies the binary, enabling direct lookup in VirusTotal, malware repositories, and threat intelligence platforms.
- Who published the binary? — The
Publisherfield reveals the developer. Offensive tools often show no publisher, a fabricated name, or the actual author (e.g., “gentilkiwi” for mimikatz). - When was the binary compiled? — The
LinkDatePE compile timestamp reveals when the binary was built. A compile time of hours before deployment suggests a custom build targeting this victim. - What specific version was used? — The
VersionandProductNamefields identify the exact release, which matters for understanding the attacker’s specific capabilities. - When was the tool first executed? — The registry key’s
LastWriteTimeapproximates first execution, providing a timestamp for initial use on the system. - Was the binary renamed to evade detection? — If
ProductNamesays “mimikatz” but the file path showssvchost.exe, the attacker renamed the binary to masquerade as a legitimate process (T1036).
In a recent incident response engagement, Amcache revealed that the attacker used a Cobalt Strike beacon with a specific SHA-1 hash. This hash matched a beacon configuration previously attributed to a known threat actor cluster by multiple threat intelligence vendors. Without Amcache, the beacon binary had been deleted from disk and would have been unidentifiable. The hash alone enabled attribution to a known adversary group with high confidence.
Forensic Use Cases
1. Malware Identification via Hash
An endpoint detection system quarantines a suspicious file, but the original binary is deleted during remediation before the investigator can collect it. Amcache retains the SHA-1 hash, file size, publisher, and compile time. The hash is submitted to VirusTotal, which returns a 58/72 detection rate identifying the file as a Cobalt Strike stager. The compile time is 6 hours before the initial compromise timestamp, suggesting the payload was custom-built for this operation.
2. Proving Specific Tool Version
In an insider threat investigation, the subject claims they “only used built-in Windows tools.” Amcache shows entries for rclone.exe (Version: 1.65.2, Publisher: https://rclone.org) and WinSCP.exe (Version: 6.1.2, Publisher: Martin Prikryl) with first-execution timestamps during the exfiltration window. The SHA-1 hashes confirm these are official releases and the version numbers enable the investigator to research exact capabilities available to the subject.
3. Detecting Masquerading
An attacker renames their credential harvesting tool to WindowsUpdate.exe and places it in C:\ProgramData\. Shimcache records only the deceptive path, but Amcache records both the path and the PE metadata. The ProductName field reads “mimikatz” and the Publisher field reads “gentilkiwi (Benjamin DELPY)” — immediately revealing the true identity despite the filename masquerade.
4. Correlating with Threat Intelligence
Amcache SHA-1 hashes can be bulk-extracted and submitted to threat intelligence platforms for automated enrichment. A batch query against VirusTotal, MISP, or a commercial TI feed can instantly classify every executable that ran on the system as benign, suspicious, or known-malicious — dramatically accelerating triage during a large-scale incident.
5. Establishing Execution Timeline
By extracting the LastWriteTime of each Amcache key, investigators build a timeline of first-execution events. Combined with Shimcache ordering, Prefetch timestamps, and Event Log process creation events (4688), this creates a comprehensive picture of which tools were deployed in what order — essential for kill chain reconstruction.
Acquisition Methods
Amcache.hve is locked by the operating system on a live system. Direct file copy will return an access-denied or sharing-violation error. Use Volume Shadow Copy, a forensic imaging tool, or a raw-disk copy utility. Always collect the transaction log files (.LOG1, .LOG2) alongside the hive — they may contain entries not yet committed to the main hive file.
Live System — Volume Shadow Copy
:: Create a Volume Shadow Copy vssadmin create shadow /for=C: :: Copy Amcache.hve from the shadow (bypasses file lock) copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\AppCompat\Programs\Amcache.hve C:\Evidence\ :: Copy transaction logs copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\AppCompat\Programs\Amcache.hve.LOG* C:\Evidence\ :: Alternative: KAPE targeted collection kape.exe --tsource C: --tdest C:\Evidence\KAPE_Output --target Amcache
Forensic Image — Direct Extraction
# Mount forensic image read-only mount -o ro,noexec,nodev /dev/sdb1 /mnt/evidence # Copy Amcache.hve and transaction logs cp /mnt/evidence/Windows/AppCompat/Programs/Amcache.hve /analysis/amcache/ cp /mnt/evidence/Windows/AppCompat/Programs/Amcache.hve.LOG* /analysis/amcache/
Parsing Tools & Analysis
| Tool | Author | License | Output | Notes |
|---|---|---|---|---|
| AmcacheParser | Eric Zimmerman | Free | CSV | Industry standard; handles both old (Root\File) and new (InventoryApplicationFile) formats |
| RegRipper | Harlan Carvey | Open source (Perl) | Text | amcache plugin; lightweight, fast parsing |
| Registry Explorer | Eric Zimmerman | Free | GUI + export | Visual inspection of raw hive with field interpretation |
| Velociraptor | Rapid7 | Open source | JSON / CSV | Windows.Detection.Amcache artifact; scalable remote parsing |
| Autopsy | Basis Technology | Open source | GUI | Built-in Amcache parser module; integrated with case management |
Parsing with AmcacheParser
:: Parse Amcache.hve to CSV AmcacheParser.exe -f C:\Evidence\Amcache.hve --csv C:\Analysis\Amcache_Output :: Output files: :: Amcache_UnassociatedFileEntries.csv :: Amcache_AssociatedFileEntries.csv :: Amcache_ProgramEntries.csv :: Amcache_DevicePnPEntries.csv :: Include deleted entries from transaction logs AmcacheParser.exe -f C:\Evidence\Amcache.hve --csv C:\Analysis\ -i
Analysis Script — Automated Hash Lookup
# Extract SHA-1 hashes and filter for suspicious entries import pandas as pd df = pd.read_csv('/analysis/amcache/Amcache_UnassociatedFileEntries.csv') # Strip leading 0000 prefix from FileId to get clean SHA-1 df['SHA1_Clean'] = df['SHA1'].str.replace('^0000', '', regex=True) # Filter for executables in suspicious locations suspicious = df[ df['FullPath'].str.contains( r'Temp|ProgramData|Public|Perflogs|Recycle', case=False, na=False ) ] print(f"Suspicious entries: {len(suspicious)}") print(suspicious[['FullPath', 'Publisher', 'SHA1_Clean']].to_string())
Sample Output
Suspicious entries: 3
FullPath Publisher SHA1_Clean
c:\users\jdoe\appdata\local\temp\windowsupdate.exe gentilkiwi (Benjamin DELPY) a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
c:\programdata\microsoft\crypto\beacon.dll (empty) d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5
c:\perflogs\procdump64.exe Sysinternals - www.sysinternals.com f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1
The first entry reveals masquerading: the file is named windowsupdate.exe but the publisher is “gentilkiwi (Benjamin DELPY)” — the author of mimikatz. The second entry has no publisher, characteristic of custom-compiled offensive tooling. The third is a legitimate Sysinternals tool used by both defenders and attackers — context from other artifacts determines intent.
Retention & Persistence
| Property | Windows 8 / 8.1 | Windows 10 | Windows 11 |
|---|---|---|---|
| Retention period | Indefinite until hive cleanup | Entries may be pruned by PCA task | Entries may be pruned by PCA task |
| Survives reboot | Yes | Yes | Yes |
| Survives app uninstall | Yes — file entries persist | Yes — file entries persist | Yes — file entries persist |
| Survives file deletion | Yes — entries reference metadata, not file | Yes — entries reference metadata, not file | Yes — entries reference metadata, not file |
| Update frequency | Near-real-time on execution | Near-real-time on execution | Near-real-time on execution |
| Purge mechanism | Manual or hive corruption | PCA scheduled task may prune; varies by build | PCA scheduled task may prune; varies by build |
Starting with certain Windows 10 builds (approximately 1903+), the Program Compatibility Assistant (PCA) scheduled task can truncate Amcache.hve, removing older entries. The timing and trigger varies by build. Always collect Amcache as early as possible in an investigation, and check the LastWriteTime of the oldest entries to establish the actual coverage window.
Anti-Forensics Resilience
Amcache.hve resides in a system directory and is locked during normal operation, making it resistant to casual cleanup. However, it is more accessible than the SYSTEM hive because it is a standalone file rather than a core OS hive.
| Tool / Technique | Clears Amcache? | Explanation |
|---|---|---|
| CCleaner | No | Does not target AppCompat\Programs\ directory |
| Eraser | No | Cannot delete locked hive files without stopping services |
| BleachBit | No | No module targets Amcache.hve |
| Prefetch cleanup | No | Independent artifact subsystem |
| Event Log clearing | No | Unrelated to registry hive |
| PCA scheduled task | Partial | May prune older entries on newer Windows 10/11 builds |
| Manual deletion | Possible | Requires stopping compatibility services and elevated privileges; detectable via service stop events |
| Registry tampering | Possible | Offline editing detectable via transaction log analysis and hive consistency checks |
Amcache.hve is not targeted by any mainstream anti-forensics or privacy tool. It is a locked system file that most users and even many attackers do not know exists. The few adversaries who are aware of it would need to stop system services and delete a specific file — actions that generate detectable Event Log entries. In Mjolnir case history, Amcache has survived cleanup operations in over 95% of investigated incidents.
MITRE ATT&CK Detection Mapping
Amcache data provides evidentiary support for detecting the following MITRE ATT&CK techniques:
| Technique | Name | Amcache Evidence |
|---|---|---|
T1059 T1059 | Command and Scripting Interpreter | Hash and publisher metadata for script interpreters executed from non-standard paths |
T1204 T1204 | User Execution | First-execution timestamp from key LastWriteTime; correlates with phishing delivery timelines |
T1036 T1036 | Masquerading | ProductName/Publisher mismatch with filename reveals binary renaming |
T1105 T1105 | Ingress Tool Transfer | Entries for executables in staging directories with recent compile timestamps indicate downloaded attack tools |
Related Artifacts & Cross-Correlation
| Artifact | Relationship to Amcache | Cross-Correlation Value |
|---|---|---|
| Shimcache | Records file path and last-modified time; no hash | Shimcache proves file placement; Amcache proves file identity via SHA-1 |
| Prefetch | Records execution count, last 8 run times, DLLs loaded | Prefetch proves repeated execution; Amcache identifies the exact binary version |
| UserAssist | Records GUI program launches with run count | UserAssist confirms user-interactive execution; Amcache covers both GUI and non-GUI executables |
| BAM/DAM | Records execution timestamps for background apps | BAM provides precise execution timestamps; Amcache provides the hash identity |
| SRUM.db | Records network transfer data per application | SRUM shows what the tool did on the network; Amcache identifies which specific build it was |
| $MFT | File system metadata for files still on disk | MFT confirms current presence; Amcache persists after file and MFT entry are gone |
References
- Eric Zimmerman, “AmcacheParser” — https://ericzimmerman.github.io/
- ANSSI (French National Cybersecurity Agency), “Amcache Analysis” — https://www.ssi.gouv.fr
- SANS Institute, “Amcache.hve in Windows 10” — https://www.sans.org/blog/
- Harlan Carvey, “RegRipper” — https://github.com/keydet89/RegRipper3.0
- 13Cubed, “Amcache.hve Deep Dive” — https://www.13cubed.com/blog
- Microsoft, “Application Compatibility Infrastructure” — https://learn.microsoft.com
- Yogesh Khatri, “Amcache.hve — Part 2” — https://www.swiftforensics.com
- ForensicArtifacts.com, “Windows Amcache Definition” — https://github.com/ForensicArtifacts/artifacts
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in Amcache analysis, malware attribution via hash correlation, and investigations requiring precise tool identification.
mjolnirsecurity.com — 24/7: +1 833 403 5875