The Windows Amcache Hive

This week I talk about Amcache Forensics, a Windows artifact that collects details about programs that have been run on a given system. This evidence can support malware/ intrusion investigations, file use and knowledge exams and data spoliations inquiries.

Show Notes


The Amcache.hve is a Windows Registry Hive that contains data about applications that have been run on a Windows system. The artifact also contains the file path for the executable, the date and time it was first run, the programs’ SHA1 hash value and some product and version information.

Artifact Location: C:\Windows\AppCompat\Programs\Amcache.hve

Note: During my testing I could not easily extract the Amcache.hve file from a live system as the operating system locks the file. No issues with dead box extraction.



Amcacheparser: Windows command line tool (free),

RegRipper: Amcache plugin (free), Python tool (free),

EnCase: Enscript, links for v6 and v7 enscripts may be found in this article,



Amcache Parser: Reducing the Noise, Finding the Signal,

Amcache.hve in Windows 8 – Goldmine for malware hunters,

Amcache.hve – Part 2,

* Views are based on my own experience, resources are cited where applicable.

SDF Training

Learn More

Learn to Resolve Attached USB Devices on Windows Systems

The open-source approach!
Learn More