dissect.target.plugins.os.windows.amcache

Module Contents

Classes

AmcachePluginOldMixin
AmcachePlugin	Appcompat plugin for amcache.hve.

Functions

parse_win_datetime
parse_win_timestamp

Attributes

AMCACHE_FILE_KEYS
AMCACHE_PROGRAM_KEYS
ShortcutAppcompatRecord
FileAppcompatRecord
ProgramsAppcompatRecord
ApplicationAppcompatRecord
ApplicationFileAppcompatRecord
BinaryAppcompatRecord
ContainerAppcompatRecord
AppLaunchAppcompatRecord

dissect.target.plugins.os.windows.amcache.AMCACHE_FILE_KEYS

dissect.target.plugins.os.windows.amcache.AMCACHE_PROGRAM_KEYS

dissect.target.plugins.os.windows.amcache.ShortcutAppcompatRecord

dissect.target.plugins.os.windows.amcache.FileAppcompatRecord

dissect.target.plugins.os.windows.amcache.ProgramsAppcompatRecord

dissect.target.plugins.os.windows.amcache.ApplicationAppcompatRecord

dissect.target.plugins.os.windows.amcache.ApplicationFileAppcompatRecord

dissect.target.plugins.os.windows.amcache.BinaryAppcompatRecord

dissect.target.plugins.os.windows.amcache.ContainerAppcompatRecord

dissect.target.plugins.os.windows.amcache.AppLaunchAppcompatRecord

class dissect.target.plugins.os.windows.amcache.AmcachePluginOldMixin

__namespace__ = 'amcache'

parse_file()

parse_programs()

programs()

Return Programs records from Amcache hive.

files()

Return File records from Amcache hive.

class dissect.target.plugins.os.windows.amcache.AmcachePlugin(target)

Bases: AmcachePluginOldMixin, dissect.target.plugin.Plugin

Appcompat plugin for amcache.hve.

Supported registry keys:

for old version of Amcache: * File * Programs

for new version of Amcache: • InventoryDriverBinary • InventoryDeviceContainer • InventoryApplication • InventoryApplicationFile * InventoryApplicationShortcut

References

https://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/

__namespace__ = 'amcache'

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

read_key_subkeys(key)

parse_inventory_application()

Parse RootInventoryApplication registry key subkeys.

References

• https://docs.microsoft.com/en-us/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004#microsoftwindowsinventorycoreinventoryapplicationadd

parse_inventory_application_file()

Parse RootInventoryApplicationFile registry key subkeys.

References

• https://docs.microsoft.com/en-us/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004#microsoftwindowsinventorycoreinventoryapplicationadd

parse_inventory_driver_binary()

parse_inventory_application_shortcut()

parse_inventory_device_container()

applications()

Return InventoryApplication records from Amcache hive.

Amcache is a registry hive that stores information about executed programs. The InventoryApplication key holds all application objects that are in cache.

References

• https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803

• https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/

application_files()

Return InventoryApplicationFile records from Amcache hive.

Amcache is a registry hive that stores information about executed programs. The InventoryApplicationFile key holds the application files that are in cache.

References

• https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803

• https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/

drivers()

Return InventoryDriverBinary records from Amcache hive.

Amcache is a registry hive that stores information about executed programs. The InventoryDriverBinary key holds the driver binaries that are in cache.

References

• https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html

• https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803

• https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/

shortcuts()

Return InventoryApplicationShortcut records from Amcache hive.

Amcache is a registry hive that stores information about executed programs. The InventoryApplicationShortcut field holds the shortcuts that are in cache. The key values contain information about the target of the lnk file.

References

• https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html

• https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803

• https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/

device_containers()

Return InventoryDeviceContainer records from Amcache hive.

Amcache is a registry hive that stores information about executed programs. The InventoryDeviceContainer key holds the device containers that are in cache. Example devices are bluetooth, printers, audio, etc.

References

• https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html

• https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803

• https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/

applaunches()

Return AppLaunchAppcompatRecord records from Amcache applaunch files (Windows 11 22H2 or later).

TODO: Research C:WindowsappcompatpcaPcaGeneralDb0.txt and

C:WindowsappcompatpcaPcaGeneralDb1.txt files.

References

• https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/

dissect.target.plugins.os.windows.amcache.parse_win_datetime(value: str)

dissect.target.plugins.os.windows.amcache.parse_win_timestamp(value: str)