..
    generated, remove this comment to keep this file

``amcache.application_files``
=============================

.. code-block:: console

    $ target-query <path/to/target> -f amcache.application_files


.. list-table:: Details
    :widths: 20 80

    * - Module
      - ``os.windows.amcache.AmcachePlugin``
    * - Output
      - ``records``

**Module documentation**

Appcompat plugin for amcache.hve.

Supported registry keys:

    for old version of Amcache:
    * File
    * Programs

    for new version of Amcache:
    • InventoryDriverBinary
    • InventoryDeviceContainer
    • InventoryApplication
    • InventoryApplicationFile
    * InventoryApplicationShortcut

References:
    https://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html
    https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf
    https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/

**Function documentation**

Return InventoryApplicationFile records from Amcache hive.

Amcache is a registry hive that stores information about executed programs. The InventoryApplicationFile key
holds the application files that are in cache.

References:
    - https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803
    - https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/