AmCacheParser

Unlock Windows Forensics with AmCacheParser CLI

A powerful Python tool for extracting and analyzing metadata from the Windows Amcache.hve registry hive. Tailored for digital forensics, incident response, and system auditing.

What is AmCacheParser?

AmCacheParser is a Python-based CLI tool designed to extract and analyze metadata from the Windows Amcache.hve registry hive (C:\Windows\AppCompat\Programs\Amcache.hve). It transforms raw Amcache data into actionable insights, revealing application histories, file artifacts, device connections, and driver details. With support for live and offline analysis, multiple output formats (SQLite, JSON, CSV), and robust error handling, it’s an essential tool for security professionals and system administrators.

What is Amcache.hve?

The Amcache.hve file, introduced in Windows 7, is a registry hive that stores metadata about applications, executables, devices, and drivers. Located at C:\Windows\AppCompat\Programs\Amcache.hve, it supports Windows' Application Compatibility Database. Key subkeys include:

  • InventoryApplication: Application details (e.g., name, publisher, install date).
  • InventoryApplicationFile: Executable metadata (e.g., paths, compilation dates).
  • InventoryDriver: Driver information (e.g., signing status, versions).
  • InventoryDevice: Device connections (e.g., USB, hardware specs).

Amcache persists data even after files are deleted, making it a goldmine for reconstructing system activity, detecting malware, and auditing software.

Forensic Value

  • Incident Response: Reconstructs timelines for malware detection.
  • Digital Forensics: Recovers artifacts from deleted files.
  • Threat Hunting: Correlates IOCs for anomaly detection.
  • Compliance Auditing: Verifies software licenses and configurations.

Why It Matters: Amcache’s persistence makes it ideal for uncovering hidden threats and auditing systems, even when files are gone.

🔗 Visit GitHub Repository

Key Features

Live & Offline Analysis

Live: Parses the live Amcache.hve file on Windows 7+ (requires admin privileges).
Offline: Analyzes user-specified Amcache.hve files for post-mortem investigations.

Flexible Output Formats

SQLite (amcache.db): Structured database with tailored tables.
JSON (amcache.json): Human-readable format with LCID-mapped language names.
CSV (amcache.csv): Spreadsheet-compatible with comprehensive headers.

Virtual Environment Support

Auto-creates a virtual environment (venv_amcache_parser) and installs dependencies (python-registry, tqdm).

Administrative Privilege Handling

Checks for admin rights and provides PowerShell elevation commands if needed.

Advanced Registry Access

Uses python-registry and Windows API calls to access locked hives via SeBackupPrivilege and RegLoadAppKeyW.

LCID Mapping

Converts Language Code Identifiers (e.g., 1033 → English (United States)) for 40+ languages.

Robust Database Management

Stores data in SQLite with duplicate prevention and timestamp tracking.

Error Handling & Logging

Retries hive loading, logs errors to C:\Amcache\amcache_parser.log, and validates inputs.

Progress Tracking

Displays a tqdm progress bar for parsing large datasets (e.g., 27 subkeys).

Interactive & Non-Interactive Modes

Interactive: Menu-driven interface.
Non-Interactive: Command-line arguments for automation.

Selective Parsing

Filters subkeys (e.g., --search-keys InventoryApplication) to optimize performance.

System Compatibility

Ensures Windows 7+ compatibility for live analysis.

Temporary File Management

Uses temporary files with auto-deletion for secure hive exports.

Installation

Clone or Download

git clone https://github.com/Ghassan-elsman/AmCache-Parser-CLI.git
cd AmCache-Parser-CLI

Run the Script

Requires Python 3.6+. Automatically sets up a virtual environment and installs python-registry and tqdm.

Run as Administrator

For live analysis:
Start-Process powershell -Verb RunAs -ArgumentList "-NoProfile -ExecutionPolicy Bypass -Command \"python amcache_parser.py --live\""

Usage

Interactive Mode

Launch without arguments for a user-friendly menu:
python amcache_parser.py
Options:
1. Live Analysis
2. Offline Analysis
3. Select Output Format (sqlite, json, csv)
4. Exit

Non-Interactive Mode

Run with command-line arguments:
python amcache_parser.py --live --output json --search-keys InventoryApplication,InventoryApplicationFile
Arguments:

  • --live: Analyze live Amcache.hve.
  • --offline <path>: Specify offline Amcache.hve file.
  • --output <format>: Choose sqlite, json, or csv.
  • --search-keys <keys>: Comma-separated subkeys.
  • --non-interactive: Skip menu.

Examples

Live analysis with JSON output:
python amcache_parser.py --live --output json
Offline analysis with CSV output:
python amcache_parser.py --offline C:\path\to\Amcache.hve --output csv

Sample Output

SQLite Database

subkeys table:
CREATE TABLE subkeys (
subkey_name TEXT PRIMARY KEY,
parsed_timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
InventoryApplicationFile table:
CREATE TABLE InventoryApplicationFile (
entry_id TEXT PRIMARY KEY,
ProgramId TEXT,
FileId TEXT,
LowerCaseLongPath TEXT,
Name TEXT,
Publisher TEXT,
Version TEXT,
LanguageName TEXT,
Usn TEXT,
parsed_timestamp TIMESTAMP
);

JSON Output

{
"InventoryApplicationFile": [
{
"entry_id": "00000001",
"data": {
"ProgramId": "12345678",
"FileId": "abcdef123456",
"LowerCaseLongPath": "c:\\program files\\example\\app.exe",
"Name": "app.exe",
"Publisher": "Example Corp",
"Version": "1.0.0",
"LanguageName": "English (United States)",
"Usn": "123456789"
}
}
]
}

CSV Output

subkey_name,entry_id,ProgramId,FileId,LowerCaseLongPath,Name,Publisher,Version,LanguageName,Usn
InventoryApplicationFile,00000001,12345678,abcdef123456,c:\program files\example\app.exe,app.exe,Example Corp,1.0.0,English (United States),123456789

Forensic Insights

  • Timeline Analysis: Tracks software installations and execution events.
  • Artifact Recovery: Recovers metadata for deleted files via LowerCaseLongPath and Usn.
  • System Baseline: Maps hardware and enterprise settings.
  • User Behavior: Reveals application usage patterns.
  • Security Posture: Flags unsigned drivers and assesses system hardening.

Pro Tip: Combine Amcache data with Prefetch and Event Logs for a comprehensive forensic timeline.

FAQ

What systems does AmCacheParser support?

Live analysis requires Windows 7+. Offline analysis works on any system with Python 3.6+.

Why do I need admin privileges?

Live analysis accesses the locked Amcache.hve file, requiring SeBackupPrivilege.

Can I analyze specific subkeys?

Yes, use --search-keys (e.g., InventoryApplication,InventoryApplicationFile) to focus on relevant data.

Where are outputs saved?

Outputs are saved to C:\Amcache (e.g., amcache.db, amcache.json, amcache.csv).

How does it handle errors?

Retries hive loading, logs errors to amcache_parser.log, and validates inputs.

Requirements

  • OS: Windows 7+ (live analysis).
  • Python: 3.6+.
  • Dependencies: python-registry, tqdm (auto-installed).
  • Permissions: Admin rights for live analysis.
  • Disk Space: Space for database and output files.
⬇ Download AmCacheParser