`amcache.applaunches`#

$ target-query <path/to/target> -f amcache.applaunches

Details#
Module	`os.windows.amcache.AmcachePlugin`
Output	`records`

Module documentation

Appcompat plugin for amcache.hve.

Supported registry keys:

for old version of Amcache: * File * Programs

for new version of Amcache: • InventoryDriverBinary • InventoryDeviceContainer • InventoryApplication • InventoryApplicationFile * InventoryApplicationShortcut

References:: https://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/

Function documentation

Return AppLaunchAppcompatRecord records from Amcache applaunch files (Windows 11 22H2 or later).

TODO: Research C:WindowsappcompatpcaPcaGeneralDb0.txt and

C:WindowsappcompatpcaPcaGeneralDb1.txt files.

References:

https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/

amcache.applaunches#

`amcache.applaunches`#