Amcache.hve
What is Amcache.hve?
Amcache.hveA Windows registry hive that records detailed metadata about every executable that has run or been present on a system, including SHA-1 hashes, providing strong execution evidence on modern Windows.
Amcache.hve, located in C:\Windows\AppCompat\Programs\, is a registry hive populated by the Application Experience service. It stores rich metadata about executables, drivers, and installed programs, including full path, file size, PE compile time, last-modified time, publisher, and a SHA-1 hash of the first 31 MB of the binary. On Windows 8 and later, Amcache effectively superseded Shimcache as the primary program-execution artifact because it captures samples even when they were merely scanned, not necessarily launched. Investigators use AmcacheParser (Eric Zimmerman) to extract InventoryApplicationFile entries, then hash-match against threat intelligence to identify malware that has long since been deleted.
● Examples
- 01
Identifying a now-deleted Cobalt Strike beacon by its SHA-1 stored in Amcache.hve.
- 02
Building a list of every binary ever resident in C:\Users\Public\ for triage.
● Frequently asked questions
What is Amcache.hve?
A Windows registry hive that records detailed metadata about every executable that has run or been present on a system, including SHA-1 hashes, providing strong execution evidence on modern Windows. It belongs to the Forensics & IR category of cybersecurity.
What does Amcache.hve mean?
A Windows registry hive that records detailed metadata about every executable that has run or been present on a system, including SHA-1 hashes, providing strong execution evidence on modern Windows.
How does Amcache.hve work?
Amcache.hve, located in C:\Windows\AppCompat\Programs\, is a registry hive populated by the Application Experience service. It stores rich metadata about executables, drivers, and installed programs, including full path, file size, PE compile time, last-modified time, publisher, and a SHA-1 hash of the first 31 MB of the binary. On Windows 8 and later, Amcache effectively superseded Shimcache as the primary program-execution artifact because it captures samples even when they were merely scanned, not necessarily launched. Investigators use AmcacheParser (Eric Zimmerman) to extract InventoryApplicationFile entries, then hash-match against threat intelligence to identify malware that has long since been deleted.
How do you defend against Amcache.hve?
Defences for Amcache.hve typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Amcache.hve?
Common alternative names include: Amcache, AppCompat Amcache.
● Related terms
- forensics-ir№ 1034
Shimcache (AppCompatCache)
A Windows registry value that tracks executable metadata for application-compatibility checks; historically used as execution evidence, with important interpretation caveats.
- forensics-ir№ 850
Prefetch Files
Windows .pf files in C:\Windows\Prefetch that record process startup data and provide strong forensic evidence that an executable ran on a system.
- forensics-ir№ 677
MFT (Master File Table)
The core NTFS metadata structure that stores one 1024-byte record per file or directory on a volume, anchoring nearly all Windows file-system forensics.
- forensics-ir№ 001
$UsnJrnl ($J)
The NTFS Update Sequence Number change journal that records every file-system operation, giving forensic investigators a high-resolution timeline of file creation, modification, and deletion.
- forensics-ir№ 568
Jump Lists
Per-application history files keyed by Windows AppID that record the recent files and tasks a user opened, providing strong evidence of file access tied to a specific program.
● See also
- № 1031Shellbags
- № 787pagefile.sys
- № 474hiberfil.sys
- № 766Order of Volatility