AmCache.hve
C:\Windows\AppCompat\Programs\Amcache.hveAmCache.hve is a standalone registry hive maintained by the Windows Application Experience service. It records metadata for every executable the OS has processed — including SHA-1 hashes — making it one of the only native Windows artifacts that lets you fingerprint a binary without running a separate tool.
Key Name
Root\InventoryApplicationFile\{hash-derived-GUID} — one subkey per unique executable
Trace Type
Execution File Existence
Hive
AmCache.hve Standalone hive at
C:\Windows\AppCompat\Programs\
Last Write Time
Reflects when the Inventory service first processed that specific binary — a close approximation of first execution or first file creation on this system.
User Specific
No System-wide. Captures executables run by any account including SYSTEM and service processes.
Forensic Value
- Identify renamed malware: The
FileIdfield stores the SHA-1 hash of the executable content. Compare this with ShimCache entries to identify path mismatches. - Prove external device execution: If a tool ran from a removable drive, AmCache retains the full path and hash, proving the portable binary was used on this machine.
- Detect anti-forensics: AmCache captures execution metadata that persists even after the source binary or its Prefetch traces have been deleted.
For more Info check out these Articles: ShimCache