Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 049

Amcache.hve

Reviewed byCybersecurity entrepreneur & security researcher

What is Amcache.hve?

Amcache.hveA Windows registry hive that records detailed metadata about every executable that has run or been present on a system, including SHA-1 hashes, providing strong execution evidence on modern Windows.


Amcache.hve, located in C:\Windows\AppCompat\Programs, is a registry hive populated by the Application Experience service. It stores rich metadata about executables, drivers, and installed programs, including full path, file size, PE compile time, last-modified time, publisher, and a SHA-1 hash of the first 31 MB of the binary. On Windows 8 and later, Amcache effectively superseded Shimcache as the primary program-execution artifact because it captures samples even when they were merely scanned, not necessarily launched. Investigators use AmcacheParser (Eric Zimmerman) to extract InventoryApplicationFile entries, then hash-match against threat intelligence to identify malware that has long since been deleted.

A critical nuance: an Amcache InventoryApplicationFile entry proves a binary was present on the system, not that it definitely executed — the Application Experience / PCA service inventories files it discovers, so the artifact is best described as evidence of existence rather than guaranteed execution. The stored FileID is the file's SHA-1 prefixed with four zeroes, and crucially that hash covers only the first 31,457,280 bytes (≈31 MB); for larger binaries it will not match a full-file SHA-1 on VirusTotal — a frequent source of "missed" detections. Each entry also records its own registry key LastWrite time, which approximates when the file was first inventoried.

On Windows 10/11 the hive root holds both InventoryApplicationFile (executables) and InventoryDriverBinary (drivers), making Amcache one of the few artifacts that surfaces the malicious signed drivers used in BYOVD (bring-your-own-vulnerable-driver) attacks. Analysts parse it with AmcacheParser or the RegRipper amcache plugin, then pivot the SHA-1 values against threat intelligence to reconstruct an adversary timeline — a technique taught in SANS FOR500/FOR508 and used to attribute now-deleted Cobalt Strike beacons and ransomware loaders long after the binaries were wiped.

flowchart TD
  A[Application Experience / PCA service] -->|inventories binary| B[Amcache.hve]
  B --> C[InventoryApplicationFile: path, size, SHA-1 of first 31MB]
  B --> D[InventoryDriverBinary: drivers]
  C --> E[AmcacheParser / RegRipper]
  D --> E
  E -->|SHA-1 pivot| F[Threat-intel match]
  F --> G[Reconstruct timeline]

Examples

  1. 01

    Identifying a now-deleted Cobalt Strike beacon by its SHA-1 stored in Amcache.hve.

  2. 02

    Building a list of every binary ever resident in C:\Users\Public\ for triage.

Frequently asked questions

What is Amcache.hve?

A Windows registry hive that records detailed metadata about every executable that has run or been present on a system, including SHA-1 hashes, providing strong execution evidence on modern Windows. It belongs to the Forensics & IR category of cybersecurity.

What does Amcache.hve mean?

A Windows registry hive that records detailed metadata about every executable that has run or been present on a system, including SHA-1 hashes, providing strong execution evidence on modern Windows.

How do you defend against Amcache.hve?

Defences for Amcache.hve typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for Amcache.hve?

Common alternative names include: Amcache, AppCompat Amcache.

Related terms

See also