amcache.applaunches

$ target-query <path/to/target> -f amcache.applaunches

Details

Module	dissect.target.plugins.os.windows.amcache.AmcachePlugin
Output	records

Module documentation

Appcompat plugin for amcache.hve.

Supported registry keys for old version of Amcache:

• File

• Programs

Supported registry keys for new version of Amcache:

• InventoryDriverBinary

• InventoryDeviceContainer

• InventoryApplication

• InventoryApplicationFile

• InventoryApplicationShortcut

References:

• https://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html

• https://cyber.gouv.fr/sites/default/files/2019/01/anssi-coriin_2019-analysis_amcache.pdf

• https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/

Function documentation

Return PcaAppLaunchAppcompatRecord records from Amcache PCA AppLaunch files (Windows 11 22H2 or later).

References:

• https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/