amcache
¶
$ target-query <path/to/target> -f amcache
Module |
|
Output |
|
Module documentation
Appcompat plugin for amcache.hve.
Supported registry keys:
for old version of Amcache: * File * Programs
for new version of Amcache: • InventoryDriverBinary • InventoryDeviceContainer • InventoryApplication • InventoryApplicationFile * InventoryApplicationShortcut
- References:
https://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/
Function documentation
This is a namespace plugin. This means that by running this plugin, it will automatically run all other plugins under this namespace: