Skip to content

Commit

Permalink
Update amcache.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@Psmths
Psmths committed Nov 15, 2023
1 parent 7857f7d commit ac3ae69
Showing 1 changed file with 7 additions and 3 deletions.
10 changes: 7 additions & 3 deletions execution/amcache.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,14 @@ The Amcache hive stores metadata regarding executables/installed programs presen
- [x] Windows 11
- [x] Windows 10
- [x] Windows 8
- [x] Windows 7 (⚠️ KB2952664 and later)
- [x] Windows 7
- [x] Windows Server 2019
- [x] Windows Server 2016
- [x] Windows Server 2012 R2
- [x] Windows Server 2012

> [!IMPORTANT]
> Windows 7 requires update KB2952664 for the Amcache hive to be present. Amcache is available on Windows Server starting from Windows Server 2008 R2.
## Artifact Location(s)
- `%SystemRoot%\AppCompat\Programs\Amcache.hve`
Expand Down Expand Up @@ -75,7 +78,8 @@ The subkeys will contain the executable name, and a hash separated by a `|` char
| BinaryType | 32/64bit indicator |
| Size | The size, in bytes, of the executable |

⚠️ **There is a limit to the size of the data that gets hashed to produce this artifact's SHA-1 hash in the `FileId` value.** If the size of the binary exceeds approximately 30MB in size, only the first 30MB will be hashed. The result is that the SHA-1 hash will not be valid for that binary. ⚠️
> [!WARNING]
> **There is a limit to the size of the data that gets hashed to produce this artifact's SHA-1 hash in the `FileId` value.** If the size of the binary exceeds approximately 30MB in size, only the first 30MB will be hashed. The result is that the SHA-1 hash will not be valid for that binary.
## Example
Installing a new software, CrystalDiskMark on a system and manually running `compattelrunner.exe` updated the Amcache Hive with the following key (named `00001d78ebb0f68947e39952c24983d564390000ffff`) under `InventoryApplication`:
Expand Down Expand Up @@ -276,4 +280,4 @@ Additionally, several keys were created under `InventoryApplicationFile`, one ex
```
<sup><sub>This example was produced on Windows 10, Version 10.0.19044 Build 19044</sub></sup>

From this example, we can see that the `ProgramId` between the two Amcache keys correspond to each other.
From this example, we can see that the `ProgramId` between the two Amcache keys correspond to each other.

0 comments on commit ac3ae69

Please sign in to comment.