← Back to home

Amcache Windows Artifact

Published May 2025

Prefetch Diagram

Why Was Amcache Created in Windows?

Microsoft introduced amcache.hve in Windows 8 as part of its push to improve application performance and compatibility. It tracks details about executed programs to help features like SmartScreen and application compatibility layers.

While it was designed for system optimisation, digital‑forensics professionals quickly realised its hidden value. This file quietly logs a timeline of executed binaries—making it a powerful source of evidence during malware investigations or compromise analysis. In short: built for performance, repurposed for forensics.

What Is an Amcache?

The amcache.hve file is a hidden registry hive in Windows that logs metadata about programs executed on the system. It lives at:

C:\Windows\AppCompat\Programs\Amcache.hv

This file updates automatically when an application runs, capturing valuable forensic details like:

  • File path and name
  • SHA‑1 hash of the executable
  • File size and timestamps
  • Publisher and product name
  • Program ID and volume info

It’s essentially a catalogue of executed files—indispensable when you need to know what ran, when, and from where. Even if a binary is deleted, Amcache may still hold its ghost.

How Amcache Helps in Digital Forensics Investigations

When a Windows system is compromised, investigators need reliable artefacts. Amcache.hve is one of those silent powerhouses.

  • Correlating Amcache with Prefetch — while Amcache stores metadata (file path, SHA‑1, install time), Prefetch files record execution counts and timestamps. Matching entries in both artefacts strongly confirm execution.
  • Cross‑artefact evidence — even if a binary is deleted or modified, these artefacts preserve its digital shadow, strengthening the chain of evidence.


Amcache.hve Analysis

Amcache tracks installed applications, executed programs, loaded drivers, and more. The Inventory → ApplicationFile key is a great starting point. Use Registry Explorer to parse the hive.

Registry Explorer Amcache view

Parsing Amcache with AmcacheParser

AmcacheParser outputs multiple CSV files. It separates entries associated with installed software from those that are unassociated—the latter often reveal suspicious executables.

AmcacheParser.exe -i -f C:\Windows\AppCompat\Programs\Amcache.hve --csv D:\Cases
AmcacheParser output
Timeline Explorer output

Load the CSV into Timeline Explorer to filter, sort, and analyse execution timestamps and metadata.

Timeline Explorer screenshot

Conclusion

Though often overlooked, amcache.hve is a goldmine for forensic investigators. It logs executed programs, installed apps, and traces of deleted files—making it crucial in Windows investigations. With tools like Registry Explorer, AmcacheParser, and Timeline Explorer, you can extract, analyse, and correlate this data to uncover the story behind system activity.