Amcache Parser Online
Amcache.hve is one of the richest execution-evidence artifacts on Windows — a system-wide inventory of programs with file paths, SHA-1 hashes, PE metadata and first-seen timestamps. This online Amcache parser reads it in your browser, free, with nothing to install and nothing uploaded.
Open the explorer and drop Amcache.hve in. Load it alongside SYSTEM and the results are correlated with the machine context.
What you get from Amcache
- File inventory — executables the system recorded, with full paths.
- SHA-1 hashes — pivot to threat intel or hunt the same binary across hosts.
- First-seen timestamps — when a binary first appeared (with the usual caveat that this is not proof of execution time).
- Installed programs — the application inventory.
For how the structure is parsed and what the timestamps really mean, read the Amcache plugin deep-dive and pair it with AppCompatCache/Shimcache.
Frequently asked questions
- How do I open an Amcache.hve file?
- Drag Amcache.hve onto the drop zone, or click to browse. It is parsed locally in your browser — the file inventory, SHA-1 hashes and first-seen timestamps are decoded immediately, with nothing uploaded.
- Where is Amcache.hve located?
- C:\Windows\AppCompat\Programs\Amcache.hve. It is a separate hive from SOFTWARE and SYSTEM, so acquire it specifically — it is easy to forget.
- What does Amcache record?
- An inventory of executables and installed programs the system has seen, with file paths, SHA-1 hashes, PE metadata and first-seen timestamps. The SHA-1 is a strong pivot for hash-based hunting.
- Is the hive uploaded anywhere?
- No. Amcache.hve is parsed entirely client-side using WebAssembly, so it never leaves your machine — safe for evidence.