Anthropic-Cybersecurity-Skills/skills/analyzing-windows-amcache-artifacts/references/api-reference.md

API Reference: Analyzing Windows Amcache Artifacts

Amcache.hve Location

C:\Windows\AppCompat\Programs\Amcache.hve

Registry Keys

Key Path	Contents
Root\InventoryApplicationFile	File execution evidence with SHA-1
Root\InventoryApplication	Installed application metadata
Root\InventoryDevicePnp	PnP device connection history
Root\InventoryDriverBinary	Driver binary metadata

regipy Python Library

pip install regipy

from regipy.registry import RegistryHive

reg = RegistryHive('/path/to/Amcache.hve')
for subkey in reg.get_key('Root\\InventoryApplicationFile').iter_subkeys():
    values = {v.name: v.value for v in subkey.iter_values()}
    print(values.get('Name'), values.get('LowerCaseLongPath'))

AmcacheParser (Eric Zimmerman)

# Parse Amcache.hve to CSV
AmcacheParser.exe -f C:\evidence\Amcache.hve --csv C:\output\

# Include device and driver entries
AmcacheParser.exe -f Amcache.hve --csv output\ -i

Output CSV Columns

Column	Description
Name	Application/file name
LowerCaseLongPath	Full lowercase path
Publisher	Software publisher
FileId	SHA-1 hash (prefixed with 0000)
Size	File size in bytes
LinkDate	PE compilation timestamp
Version	File version string
ProgramId	Associated program GUID

Forensic Value

Artifact	Evidence
SHA-1 hash	File identification even after deletion
LowerCaseLongPath	Execution path including USB/temp
LinkDate	PE compile time (timestomping detection)
Publisher	Legitimacy verification
Last Modified	Registry key update timestamp

Suspicious Indicators

Pattern	Concern
Path contains \Temp\	Execution from temp directory
Path contains \Downloads\	User-downloaded execution
Missing Publisher	Unsigned/unknown binary
LinkDate far from file date	Possible timestomping
Known tool names (mimikatz, psexec)	Attacker tooling