Amcache / Syscache

Amcache / Syscache (.hve)

Purpose and Function

The Amcache.hve file is a registry hive that serves as a component of the Windows Application Compatibility framework. Its primary function is to store metadata about applications that have been recently run on the system. This information helps Windows manage compatibility settings and track program installations. The Syscache.hve is its functional predecessor, found on older systems like Windows 7.

From a DFIR perspective, Amcache is a forensic goldmine. It provides a persistent, historical record of program executions that often survives uninstallation and basic artifact cleaning. It is particularly valuable for identifying malicious software by its intrinsic properties, such as its file hash, rather than just its filename.

Location and Structure

Amcache.hve is a standalone registry hive file, not part of the main SYSTEM or SOFTWARE hives. It is typically locked by the system when Windows is running, often requiring specialized tools or offline analysis to parse.

  • Location (Windows 8/10/11): C:\Windows\AppCompat\Programs\Amcache.hve

  • Location (Syscache on Windows 7): Often found within System Volume Information, such as C:\Windows\System32\config\RegBack\ or live in C:\Windows\appcompat\Programs\.

The Amcache.hve hive contains several keys, but the most forensically relevant data is typically found under a path similar to:

Root\File\{Volume-GUID}\{File-Reference-Number}

Each entry under this structure corresponds to a unique executable file that has been tracked by the system and contains a rich set of metadata values.

Stored Metadata

An Amcache entry provides a detailed fingerprint of an executed program, far beyond just its name. Key metadata includes:

  • Full Path: The complete file path of the executable at the time it was first tracked.

  • File Size: The size of the executable file in bytes.

  • SHA1 Hash: A cryptographic hash of the executable's contents. This is arguably the most critical piece of metadata, as it allows for the definitive identification of a file regardless of its name or location.

  • Timestamps:

    • First Execution Time: Often derived from the creation date of a corresponding link file or another system trigger, this timestamp indicates when the program was first introduced to the system.

    • Last Modified Timestamp: The file's last modification time as recorded in its MFT entry.

  • Linker Timestamp: The compilation timestamp embedded within the PE header of the executable.

  • Binary Type: Information about the executable's architecture (e.g., PE32, PE64).

  • Product and Version Information: Details extracted from the file's version resource block, such as Product Name, Company Name, and File Version.

Forensic Value

Amcache is an exceptionally robust artifact for proving that a program once existed and was executed on a system, even if other traces have been removed.

  • Persistence: Amcache entries often persist long after a program has been uninstalled or its files have been deleted from the live filesystem. This provides a historical record that can defeat simple cleanup attempts.

  • Identification via Hash: The presence of the SHA1 hash is its greatest strength. It allows an analyst to identify a known malicious executable (by checking the hash against threat intelligence databases like VirusTotal) even if the user renamed it to something innocuous (e.g., notACheat.exe).

  • Timeline Correlation: While its last execution timestamp is not always as reliable as Prefetch or BAM for pinpointing the most recent activity, its "First Execution" and "Last Modified" timestamps are invaluable for establishing when a program was first introduced to the system and correlating it with other events.

  • Detection of Tampering: The Amcache is managed by system services. While it can be deleted, its absence on a system where it should exist, or evidence of recent modification or deletion, can be an indicator of anti-forensic activity.

Reflection points (SS Contest)

For a ScreenSharer, Amcache is a powerful tool for finding the "ghosts" of cheats past and for definitively identifying disguised executables.

  • The Ultimate ID Check (SHA1 Hash): This is the key takeaway. If a player is running a suspicious file named explorer.exe from their desktop, an SSer can extract its Amcache entry and check the SHA1 hash on VirusTotal. If the hash matches a known cheat like Vape or Kurium, the case is closed, regardless of the filename.

  • Defeating Renaming Bypasses: Amcache is one of the best defenses against simple renaming bypasses. It proves that the file, identified by its unique hash, was present on the system.

  • Historical Evidence: If a player claims they "never used that cheat," but an Amcache entry for it exists, it provides strong historical evidence to the contrary. While it might not prove "in instance" usage, it can be crucial for ban evasion checks or for building a stronger case when combined with other, more recent artifacts.

  • Corroboration: Finding a program in Amcache corroborates findings from other tools. For example, if a suspicious path is found in a System Informer memory dump, checking Amcache for that path or the file's hash can confirm its identity and execution history.

PreviousUserAssistNextRecentFileCache

Last updated