amcache.shortcuts

$ target-query <path/to/target> -f amcache.shortcuts

Details

Module	os.windows.amcache.AmcachePlugin
Output	records

Module documentation

Appcompat plugin for amcache.hve.

Supported registry keys:

for old version of Amcache: * File * Programs

for new version of Amcache: • InventoryDriverBinary • InventoryDeviceContainer • InventoryApplication • InventoryApplicationFile * InventoryApplicationShortcut

References:

https://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/

Function documentation

Return InventoryApplicationShortcut records from Amcache hive.

Amcache is a registry hive that stores information about executed programs. The InventoryApplicationShortcut field holds the shortcuts that are in cache. The key values contain information about the target of the lnk file.

References:

• https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html

• https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803

• https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/