AmCache
Overview
Section titled “Overview”Evidence: AmCache
Description: Collect Amcache and Parse
Category: System
Platform: windows
Short Name: amc
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”Amcache.hve is a registry hive maintained by Windows Application Compatibility infrastructure. It tracks information about executed programs, installed applications, device drivers, and application shortcuts.
Amcache provides historical evidence of program execution and can contain information about programs that have been deleted. The format changed significantly between Windows 7/8 (old format with Root\File and Root\Programs keys) and Windows 10 (new format with Root\InventoryApplication* keys).
Data Collected
Section titled “Data Collected”This collector gathers structured data about amcache.
AmCache Data
Section titled “AmCache Data”| Field | Description | Example |
|---|---|---|
ProgramID | Program identifier | 00001234567890abcdef |
ProgramName | Application name | Google Chrome |
Version | Application version | 118.0.5993.89 |
Publisher | Software publisher | Google LLC |
RootDirPath | Installation directory | C:\Program Files\Google\Chrome |
InstallDate | Installation date | 2023-10-01T10:00:00 |
KeyLastWriteTime | Registry key modification time | 2023-10-15T14:30:00 |
PackageFullName | UWP package name | |
InstallSourceType | Installation source | 2 |
MSIProductCode | MSI product code GUID | {12345678-1234-1234-1234-123456789ABC} |
MSIPackageCode | MSI package code GUID | {12345678-1234-1234-1234-123456789ABC} |
UninstallKey | Uninstall registry key | SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall… |
UninstallString | Uninstall command | ”C:\Program Files\App\uninstall.exe” |
ProgramID | Associated program ID | 00001234567890abcdef |
FileID | File identifier (SHA1) | a1b2c3d4e5f6… |
ProductName | Product name from file metadata | Google Chrome |
ProductVersion | Product version | 118.0.5993.89 |
Name | File name | chrome.exe |
FilePath | Lowercase long path | c:\program files\google\chrome\application\chrome.exe |
OriginalFileName | Original file name from PE header | chrome.exe |
SHA1 | SHA1 hash | a1b2c3d4e5f6… |
Publisher | Publisher name | Google LLC |
FileSize | File size in bytes | 3145728 |
USN | Update Sequence Number | 123456789 |
IsOsComponent | Whether file is OS component | FALSE |
KeyLastWriteTime | Registry key modification time | 2023-10-15T14:30:00 |
KeyName | Registry key name | chrome.lnk |
LNKPath | Path to shortcut file | C:\Users\user\Desktop\Chrome.lnk |
KeyLastWriteTime | Registry key modification time | 2023-10-15T14:30:00 |
KeyName | Device identifier | USB\VID_1234&PID_5678 |
Class | Device class | USB |
Description | Device description | USB Mass Storage Device |
DriverName | Driver name | usbstor.inf |
DriverPackageStrongName | Driver package identifier | oem12.inf:… |
Model | Device model | SanDisk Ultra |
FirstInstallDate | First installation date | 2023-09-01T12:00:00 |
InstallDate | Last installation date | 2023-10-01T14:00:00 |
KeyLastWriteTime | Registry key modification time | 2023-10-15T14:30:00 |
Manufacturer | Device manufacturer | SanDisk |
Provider | Driver provider | Microsoft |
Service | Associated service | USBSTOR |
DriverVerDate | Driver version date | 2023-06-15T00:00:00 |
DriverVerVersion | Driver version | 10.0.19041.1234 |
HWID | Hardware ID | USB\VID_1234&PID_5678&REV_0100 |
Inf | INF file name | usbstor.inf |
ParentID | Parent device ID | USB\ROOT_HUB30 |
DriverID | Driver identifier | usbstor.inf:… |
ContainerID | Container ID GUID | {12345678-1234-1234-1234-123456789ABC} |
ClassGuid | Class GUID | {36FC9E60-C465-11CF-8056-444553540000} |
COMPID | Compatible IDs | USB\Class_08 |
BusReportedDescription | Bus-reported description | USB Mass Storage Device |
KeyName | Driver key name | ntfs.sys |
Product | Product name | Microsoft Windows |
ProductVersion | Product version | 10.0.19041.1234 |
DriverName | Driver file name | ntfs.sys |
DriverVersion | Driver version | 10.0.19041.1234 |
DriverPackageStrongName | Driver package identifier | oem0.inf:… |
DriverCompany | Driver company | Microsoft Corporation |
DriverLastWriteTime | Driver last write time | 2023-06-01T00:00:00 |
DriverTimeStamp | Driver timestamp | 2023-06-01T00:00:00 |
KeyLastWriteTime | Registry key modification time | 2023-10-15T14:30:00 |
DriverIsKernelMode | Whether driver is kernel-mode | TRUE |
DriverSigned | Whether driver is signed | TRUE |
Service | Associated service | NTFS |
Inf | INF file name | ntfs.inf |
DriverId | Driver identifier | ntfs.sys:… |
DriverCheckSum | Driver checksum | 0x12345678 |
ImageSize | Driver image size | 524288 |
VolumeID | Volume GUID | {12345678-1234-1234-1234-123456789ABC} |
FileID | File entry identifier | 00001234abcd |
ProgramID | Associated program ID | 00005678efgh |
ProductName | Product name | Google Chrome |
CompanyName | Company name | Google LLC |
FilePath | File path | C:\Program Files\Google\Chrome\Application\chrome.exe |
FileDescription | File description | Google Chrome |
FileVersion | File version | 118.0.5993.89 |
FileSize | File size in bytes | 3145728 |
SHA1 | SHA1 hash | a1b2c3d4e5f6… |
CompilationTime | PE compilation timestamp | 2023-09-15T10:00:00 |
FileModificationTime | File modification time | 2023-09-20T14:00:00 |
FileCreationTime | File creation time | 2023-10-01T12:00:00 |
EntryCreationTime | Amcache entry creation | 2023-10-01T12:05:00 |
KeyLastWriteTime | Registry key modification time | 2023-10-15T14:30:00 |
MFTEntryNumber | MFT entry number | 12345 |
MFTSequenceNumber | MFT sequence number | 1 |
ProgramID | Program identifier | 00005678efgh |
VolumeIDFileID | Space-separated list of file IDs | 00001234abcd 00005678ijkl |
ProgramName | Program name | Google Chrome |
ProgramVersion | Program version | 118.0.5993.89 |
FilePaths | Space-separated file paths | C:\Program Files\Google\Chrome… |
Publisher | Publisher name | Google LLC |
InstallDate | Installation date | 2023-10-01T10:00:00 |
KeyLastWriteTime | Registry key modification time | 2023-10-15T14:30:00 |
InstallSourceType | Installation source type | 2 |
UninstallKeys | Uninstall registry keys | SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall… |
ProductCode | Product code GUID | {12345678-1234-1234-1234-123456789ABC} |
PackageCode | Package code GUID | {12345678-1234-1234-1234-123456789ABC} |
MSIProductCodes | MSI product codes | {12345678-1234-1234-1234-123456789ABC} |
MSIPackageCodes | MSI package codes | {12345678-1234-1234-1234-123456789ABC} |
Collection Method
Section titled “Collection Method”This collector:
- Collects
Windows\appcompat\Programs\Amcache.hveand transaction logs - Parses the offline registry hive using OfflineRegistry library
- Detects format version (old vs new)
- Extracts data from appropriate registry keys based on version
New Format Keys:
Root\InventoryApplicationRoot\InventoryApplicationFileRoot\InventoryApplicationShortcutRoot\InventoryDevicePnpRoot\InventoryDriverBinary
Old Format Keys:
Root\FileRoot\Programs
Forensic Value
Section titled “Forensic Value”Amcache is invaluable for program execution analysis and historical application tracking. Investigators use this data to prove program execution (even deleted programs), establish installation timelines, identify malware execution, track application versions and updates, correlate file hashes with known malware, detect portable executable usage, and reconstruct user application usage patterns.