amcache

Definition

AmCache is a Windows registry hive file (`Amcache.hve`) stored at `C:\Windows\AppCompat\Programs\`. It records metadata about executables, applications, and drivers the system has observed, as part of the Windows Application Compatibility framework.

The important caveat upfront: **AmCache records file presence, not guaranteed execution.** An entry means Windows encountered the file. That's still useful, but it's not the same as a
confirmed run.
### **Data Stored in AmCache**

- Full file path of the executable
- SHA-1 hash (first 31.25KB of the file)
- File size and metadata
- Program name, version, and publisher
- Timestamps - creation, modification, install-related
- Driver and installed application records

### **Why It Matters**

AmCache fills a specific role: it ties a file hash to a file path on a specific machine at a
specific point in time. That combination is hard to get from most other artifacts.

- **Hash-based intel at the host level** — no memory capture needed, no live process required.
  Pull the SHA-1 and query your intel sources directly
- **Confirms file presence after deletion** — attackers routinely clean up binaries. AmCache
  retains the record of what was there
- **Exposes renamed tools** — the filename might look clean, but if the SHA-1 matches a known
  implant in your feed, the rename doesn't matter
- **Works on servers** — unlike Prefetch, which is off by default on Windows Server, AmCache
  is present and populated on server builds

### **Limitations**

- Does not confirm execution, entries can be created through system scans, compatibility checks, or install routines, not just user-run programs
- Timestamps may not reflect actual run time
- Structure varies across Windows versions like parsing output differs between Win7, Win8, and Win10
- Requires dedicated tools to interpret correctly and the raw hive is not human-readable

Amcache

Definition

Related Terms

Examples & Use Cases