Amcache Forensics: SHA1 Execution Evidence Even After File Deletion

Cybersecurity

Amcache.hve stores SHA1 hashes and first execution timestamps for every binary that has touched the system. The hash persists after the executable is deleted, giving investigators a cryptographic execution receipt.

By Arjun Raghavan, Security & Systems Lead, BIPI · October 23, 2024 · 9 min read

Amcache.hve is a registry hive located at C:\Windows\AppCompat\Programs\Amcache.hve. Introduced in Windows 8 as a replacement for the older RecentFileCache.bcf, it records metadata about every executable file that has interacted with the Windows Application Compatibility infrastructure. The critical forensic property is that it stores the SHA1 hash of the binary at the time of first execution. When an attacker deletes their tools, the SHA1 in Amcache remains, enabling you to identify the exact binary through threat intelligence lookups even after the file is gone.

Amcache Registry Structure

The hive is organized into several root keys. The InventoryApplicationFile key contains subkeys named by file ID (a combination of drive letter, volume serial number, MFT entry number, and sequence number). Each subkey contains values including: FileId (the SHA1 hash prefixed with 0000), LowerCaseLongPath (full file path), LinkDate (PE linker timestamp), Size, and ProductName. The InventoryApplication key holds installed application metadata. The InventoryDriverBinary key covers kernel-mode drivers.

• FileId: 40-character SHA1 hash prefixed with 0000, used as the primary executable identifier
• LowerCaseLongPath: full file system path at the time of first execution
• LinkDate: the PE header linker timestamp, useful for identifying compilation age
• BinFileVersion: version string embedded in the PE version resource
• Size: file size in bytes at time of recording
• ProgramId: foreign key linking to InventoryApplication for installed programs

Parsing with AmcacheParser

Eric Zimmermann's AmcacheParser.exe processes the hive offline and produces multiple CSV outputs. Run it against a collected Amcache.hve from a triage image: AmcacheParser.exe -f Amcache.hve --csv C:\output\ --csvf amcache.csv. The output includes separate CSVs for UnassociatedFileEntries (files not linked to an installed application, which is where malware typically appears), AssociatedFileEntries, and DeviceContainers.

1. Collect Amcache.hve and its transaction logs (.LOG1, .LOG2) using KAPE Amcache target
2. Run AmcacheParser.exe -f Amcache.hve --csv C:\output\
3. Open UnassociatedFileEntries CSV in Timeline Explorer
4. Extract the SHA1 column (strip the leading 0000 prefix) and submit hashes to VirusTotal or your TI platform
5. Flag entries where LowerCaseLongPath points to %TEMP%, %APPDATA%, or unusual directories
6. Correlate FirstRun timestamps with Prefetch last-run and USN FILE_CREATE records

First Execution Timestamps

The FileKeyLastWriteTimestamp value, which reflects the last-write time of the registry key in the hive, serves as a proxy for first execution time. It is not a direct execution timestamp (Amcache does not guarantee recording at execution time; it can be updated by the Application Compatibility engine during setup scans). However, correlation with other artifacts, particularly Prefetch last-run timestamps and USN Journal creation records, triangulates true first execution with high confidence.

Amcache vs. Shimcache: Which to Trust for Execution?

Shimcache (AppCompatCache) records that a file was present and may have been executed, but the execution flag was deprecated in Windows 8 and later. Amcache is more reliable for execution evidence because it is populated by the Application Compatibility infrastructure when a program actually runs through compatibility shim evaluation. However, the PCA (Program Compatibility Assistant) can also populate Amcache entries for files it inspects without execution. Neither artifact alone is proof of execution: use both in combination with Prefetch.

• Amcache: provides SHA1 hash, first-seen timestamp, and full path; populated at or near execution
• Shimcache: provides presence record and last modified time; does not confirm execution in Windows 8+
• Prefetch: confirms execution, provides run count and last 8 timestamps, references loaded DLLs
• Combined: all three corroborating the same binary name provides near-certain execution evidence

Post-Deletion Evidence Value

The most operationally significant use of Amcache is recovering evidence of deleted tools. An attacker drops mimikatz.exe to C:\Users\Public\, runs it, then deletes it. The file is gone. The Prefetch file may be overwritten on a busy system. But the Amcache entry persists with the exact SHA1 of the mimikatz binary. Submit that hash to any threat intelligence platform and you have not only proof of execution but also the exact version, compilation date, and any known indicators associated with that specific build.

A SHA1 hash in Amcache is more valuable than a file on disk. The hash survives deletion and links the execution event to a specific build of a tool, while a recovered file could theoretically have been planted after the fact.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.