amcache.applications
#
$ target-query <path/to/target> -f amcache.applications
Module |
|
Output |
|
Module documentation
Appcompat plugin for amcache.hve.
Supported registry keys:
for old version of Amcache: * File * Programs
for new version of Amcache: • InventoryDriverBinary • InventoryDeviceContainer • InventoryApplication • InventoryApplicationFile * InventoryApplicationShortcut
- References:
https://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/
Function documentation
Return InventoryApplication records from Amcache hive.
Amcache is a registry hive that stores information about executed programs. The InventoryApplication key holds all application objects that are in cache.