..
    generated, remove this comment to keep this file

``amcache.shortcuts``
=====================

.. code-block:: console

    $ target-query <path/to/target> -f amcache.shortcuts


.. list-table:: Details
    :widths: 20 80

    * - Module
      - ``os.windows.amcache.AmcachePlugin``
    * - Output
      - ``records``

**Module documentation**

Appcompat plugin for amcache.hve.

Supported registry keys:

    for old version of Amcache:
    * File
    * Programs

    for new version of Amcache:
    • InventoryDriverBinary
    • InventoryDeviceContainer
    • InventoryApplication
    • InventoryApplicationFile
    * InventoryApplicationShortcut

References:
    https://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html
    https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf
    https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/

**Function documentation**

Return InventoryApplicationShortcut records from Amcache hive.

Amcache is a registry hive that stores information about executed programs. The InventoryApplicationShortcut
field holds the shortcuts that are in cache. The key values contain information about the target of the lnk
file.

References:
    - https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html
    - https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803
    - https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/