:py:mod:`dissect.target.plugins.os.windows.amcache`
===================================================

.. py:module:: dissect.target.plugins.os.windows.amcache


Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.amcache.AmcachePluginOldMixin
   dissect.target.plugins.os.windows.amcache.AmcachePlugin



Functions
~~~~~~~~~

.. autoapisummary::
   :nosignatures:

   dissect.target.plugins.os.windows.amcache.parse_win_datetime
   dissect.target.plugins.os.windows.amcache.parse_win_timestamp



Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.amcache.AMCACHE_FILE_KEYS
   dissect.target.plugins.os.windows.amcache.AMCACHE_PROGRAM_KEYS
   dissect.target.plugins.os.windows.amcache.ShortcutAppcompatRecord
   dissect.target.plugins.os.windows.amcache.FileAppcompatRecord
   dissect.target.plugins.os.windows.amcache.ProgramsAppcompatRecord
   dissect.target.plugins.os.windows.amcache.ApplicationAppcompatRecord
   dissect.target.plugins.os.windows.amcache.ApplicationFileAppcompatRecord
   dissect.target.plugins.os.windows.amcache.BinaryAppcompatRecord
   dissect.target.plugins.os.windows.amcache.ContainerAppcompatRecord
   dissect.target.plugins.os.windows.amcache.AppLaunchAppcompatRecord


.. py:data:: AMCACHE_FILE_KEYS

   

.. py:data:: AMCACHE_PROGRAM_KEYS

   

.. py:data:: ShortcutAppcompatRecord

   

.. py:data:: FileAppcompatRecord

   

.. py:data:: ProgramsAppcompatRecord

   

.. py:data:: ApplicationAppcompatRecord

   

.. py:data:: ApplicationFileAppcompatRecord

   

.. py:data:: BinaryAppcompatRecord

   

.. py:data:: ContainerAppcompatRecord

   

.. py:data:: AppLaunchAppcompatRecord

   

.. py:class:: AmcachePluginOldMixin


   .. py:attribute:: __namespace__
      :value: 'amcache'

      

   .. py:method:: parse_file()


   .. py:method:: parse_programs()


   .. py:method:: programs()

      Return Programs records from Amcache hive.


   .. py:method:: files()

      Return File records from Amcache hive.



.. py:class:: AmcachePlugin(target)


   Bases: :py:obj:`AmcachePluginOldMixin`, :py:obj:`dissect.target.plugin.Plugin`

   Appcompat plugin for amcache.hve.

   Supported registry keys:

       for old version of Amcache:
       * File
       * Programs

       for new version of Amcache:
       • InventoryDriverBinary
       • InventoryDeviceContainer
       • InventoryApplication
       • InventoryApplicationFile
       * InventoryApplicationShortcut

   .. rubric:: References

   https://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html
   https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf
   https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/

   .. py:attribute:: __namespace__
      :value: 'amcache'

      

   .. py:method:: check_compatible() -> None

      Perform a compatibility check with the target.

      This function should return ``None`` if the plugin is compatible with
      the current target (``self.target``). For example, check if a certain
      file exists.
      Otherwise it should raise an ``UnsupportedPluginError``.

      :raises UnsupportedPluginError: If the plugin could not be loaded.


   .. py:method:: read_key_subkeys(key)


   .. py:method:: parse_inventory_application()

      Parse Root\InventoryApplication registry key subkeys.

      .. rubric:: References

      - https://docs.microsoft.com/en-us/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004#microsoftwindowsinventorycoreinventoryapplicationadd


   .. py:method:: parse_inventory_application_file()

      Parse Root\InventoryApplicationFile registry key subkeys.

      .. rubric:: References

      - https://docs.microsoft.com/en-us/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004#microsoftwindowsinventorycoreinventoryapplicationadd


   .. py:method:: parse_inventory_driver_binary()


   .. py:method:: parse_inventory_application_shortcut()


   .. py:method:: parse_inventory_device_container()


   .. py:method:: applications()

      Return InventoryApplication records from Amcache hive.

      Amcache is a registry hive that stores information about executed programs. The InventoryApplication key holds
      all application objects that are in cache.

      .. rubric:: References

      - https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803
      - https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/


   .. py:method:: application_files()

      Return InventoryApplicationFile records from Amcache hive.

      Amcache is a registry hive that stores information about executed programs. The InventoryApplicationFile key
      holds the application files that are in cache.

      .. rubric:: References

      - https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803
      - https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/


   .. py:method:: drivers()

      Return InventoryDriverBinary records from Amcache hive.

      Amcache is a registry hive that stores information about executed programs. The InventoryDriverBinary key holds
      the driver binaries that are in cache.

      .. rubric:: References

      - https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html
      - https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803
      - https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/


   .. py:method:: shortcuts()

      Return InventoryApplicationShortcut records from Amcache hive.

      Amcache is a registry hive that stores information about executed programs. The InventoryApplicationShortcut
      field holds the shortcuts that are in cache. The key values contain information about the target of the lnk
      file.

      .. rubric:: References

      - https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html
      - https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803
      - https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/


   .. py:method:: device_containers()

      Return InventoryDeviceContainer records from Amcache hive.

      Amcache is a registry hive that stores information about executed programs. The InventoryDeviceContainer key
      holds the device containers that are in cache. Example devices are bluetooth, printers, audio, etc.

      .. rubric:: References

      - https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html
      - https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803
      - https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/


   .. py:method:: applaunches()

      Return AppLaunchAppcompatRecord records from Amcache applaunch files (Windows 11 22H2 or later).

      TODO: Research C:\Windows\appcompat\pca\PcaGeneralDb0.txt and
            C:\Windows\appcompat\pca\PcaGeneralDb1.txt files.

      .. rubric:: References

      - https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/



.. py:function:: parse_win_datetime(value: str)


.. py:function:: parse_win_timestamp(value: str)