AmCache.hve

WindowsExecution EvidenceDisk Image

Location

C:\Windows\appcompat\Programs\Amcache.hve

Description

Application compatibility cache hive tracking program execution with SHA1 hashes, file paths, publisher metadata, and first-execution timestamps.

Forensic Value

AmCache provides SHA1 hashes for executed binaries, enabling immediate VirusTotal lookups even after the attacker deletes the original file. First-execution timestamps establish when a tool was first introduced to the system. Entries persist across reboots and are harder to anti-forensic than Prefetch.

Tools Required

KAPEAmcacheParser (Eric Zimmerman)Registry Explorer (Eric Zimmerman)

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target Amcache

AmcacheParser

AmcacheParser.exe -f "C:\Windows\appcompat\Programs\Amcache.hve" --csv C:\output --csvf Amcache.csv

Registry Explorer

Open Amcache.hve in Registry Explorer and navigate to Root\InventoryApplicationFile

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1059T1204.002

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote