AmcacheParser is a command-line forensic utility developed by Eric Zimmerman for extracting execution and application metadata from the Windows Amcache.hve registry hive. The Amcache is designed by Windows to track application compatibility and execution information, making it a valuable artifact for identifying program execution, even when files have been deleted.

AmcacheParser is widely used in DFIR investigations, malware analysis, and threat hunting to establish execution timelines and uncover attacker tooling.

First time seeing this?

What AmcacheParser Does

AmcacheParser parses the Amcache.hve file to recover details about executables, drivers, and installed applications observed by the system. This includes file names, paths, SHA-1 hashes, compile times, and first-seen execution timestamps.

Because Amcache records persist beyond file deletion and system reboots, they provide durable evidence of program presence and execution on Windows systems.

Find Tool

Key Features of AmcacheParser

• Amcache.hve Parsing
  Extracts execution artifacts from the Windows Application Compatibility Cache.

• Program Execution Evidence
  Identifies executables and drivers observed or run on the system.

• File Hash and Metadata Extraction
  Retrieves SHA-1 hashes, file paths, sizes, and compile timestamps.

• Driver and Service Visibility
  Reveals kernel drivers and low-level components registered on the system.

• Historical Artifact Recovery
  Surfaces evidence even after binaries are deleted.

• Accurate Timestamp Handling
  Parses first-seen and related execution time fields.

• Command-Line Automation
  Designed for scripted and large-scale forensic workflows.

• CSV Output Support
  Exports structured data for analysis, reporting, and correlation.

• Integration with Zimmerman Toolset
  Works seamlessly with Timeline Explorer, KAPE, and other DFIR utilities.

Join CyberMaterial’s subscriber chat

Available in the Substack app and on web

Join chat

Advanced Use Cases

Malware Execution Confirmation

Verify execution of malware, droppers, or living-off-the-land binaries.

Timeline Reconstruction

Establish when tools, scripts, or payloads were first observed.

Threat Hunting

Identify suspicious or unauthorized executables across endpoints.

Incident Response

Confirm attacker tool usage during post-compromise analysis.

Legal and Compliance Investigations

Provide defensible evidence of application execution and installation.

Report Incident

Latest Updates (as of 2026)

Recent improvements and maintenance include:

• Continued support for modern Windows 10 and Windows 11 Amcache formats

• Improved parsing reliability across OS versions

• Performance enhancements for large Amcache datasets

• Ongoing alignment with Windows artifact research

• Regular maintenance and documentation updates

AmcacheParser remains actively maintained and widely adopted in professional DFIR workflows.

Check Jobs

Why It Matters

The Windows Amcache provides one of the most reliable sources of evidence for program execution and presence. AmcacheParser turns this complex, low-level data into actionable forensic intelligence.

For defenders and investigators, it is essential for confirming what actually ran on a system, especially when attackers attempt to erase their tracks.

Visit Book Club

Requirements and Platform Support

AmcacheParser runs on:

• Windows

It requires:

• Amcache.hve registry hive (offline)

Official site and repository:
https://github.com/EricZimmerman/AmcacheParser