Amcache

Description: ProgramDataUpdater (a task associated with the Application Experience Service) uses the registry file Amcache.hve to store data during process creation.

Location:

  • C:\Windows\AppCompat\Programs\Amcache.hve

Notes:

  • Amcache.hve - Keys = Amcache.hve\Root\File{Volume GUID}#######
  • Entry for every executable run, full path information, File’s $StandardInfo Last Modification Time, and Disk volume the executable was run from
  • First Run Time = Last Modification Time of Key
  • SHA1 hash of executable also contained in the key

Analysis:
Coming Soon!