Monday, 16 December 2013

Amcache.hve - Part 2

My last post about the Amcache.hve file only concentrated on the 'File' key since that's where all of the good stuff is! This post describes the remaining contents of the Amcache.hve file, the other files in the AppCompat folder (where Amcache.hve is located) and useful information contained therein.

As noted in the earlier post, there are 4 sub-Keys containing data - File, Generic, Orphan, Programs. There is also one value called Sync as shown below.

Contents of Amcache.hve/Root

The Sync value holds an 8 byte FILETIME timestamp. I believe this represents the last time this data was synced with the 'AEINV_CURRENT.xml' file also contained in the same folder as amcache.hve. However, not all information is synced. The synced information appears to be mostly about installed programs or installers run. Traces for standalone application (applications that are not installed) runs are never synced and only remain in the Amcache.hve file. Update (9 Jan 2014): Standalone applications runs are also seen here at times.

Programs Key

The 'Programs' key contains data about installed programs, the same information you can find in the Control Panel -> Programs & Features. This is somewhat similar to the data in the File key. Each subkey contains a ProgramID, which is an ID assigned to every MSI (installer) package when it is compiled. Each of these contain values as seen below. The interpretation of these values differ from the ones found under 'File'.


Here is the description for values that exist under Programs.

ValueDescriptionData Type
0Program NameUNICODE string
1Program VersionUNICODE string
2PublisherUNICODE string
3Language code (1033 for en-US)UNICODE string
4~ Not seen ~
5Unknown Flags (usually 256)DWORD
6Entry Type (usually AddRemoveProgram)UNICODE string
7Registry Uninstall KeyUNICODE string
8~ Not seen ~
9~ Not seen ~
aInstall DateQWORD (Lower 4 bytes is unix date)
bUnknown (always zero?)QWORD
c~ Not seen ~
dList of File PathsUNICODE strings (REG_MULTI_SZ)
fProduct Code (GUID)UNICODE string
10Package Code (GUID)UNICODE string
11MSI Product Code (GUID)UNICODE string
12MSI Package Code (GUID)UNICODE string
13Unknown (usually zero)QWORD
FilesList of  Files in this package (VolumeGuid@FileRefUNICODE strings (REG_MULTI_SZ)

In my analysis, most of the files (not all) referenced in the 'Files' list here could be found in the 'File' key.

Orphan and Generic Keys

The Orphan Key contains keys having the name in the format VolumeGuid@FileRef. A sample key looks like this:
      Orphan\44177282-4260-11e3-9713-806e6f6e6963@30000e61a
where '44177282-4260-11e3-9713-806e6f6e6963' is the Volume GUID and '30000e61a' is the file reference number. Beneath this key is a single Value by name 'c' containing an unknown DWORD value which is either 0 or 1.

'Orphan' key in Amcache.hve Hive
See the below screenshot for a view of the Generic Key. Under the '0' subkey you find many keys which are either GUIDs or File IDs. These File IDs (as Microsoft calls them) are simply SHA1 hashes of the files they represent.  It is unknown what the GUIDs represent. Similar to the Orphan keys, here too each of these leaf node keys (GUID or File ID) has a value by name '0' containing an unknown DWORD which is either 0 or 1.
'Generic' key in Amcache.hve Hive
Cross referencing entries from the 'File' and 'Programs' keys to the files referenced by Generic and Orphan shows many matches, many missing as well as extra entries. So the relationship between these is not entirely clear.

Other files in this folder

Apart from the log/cache files associated with the Amcache.hve hive, there are some other files in the AppCompat folder:
  1. AEINV_AMI_WER_{MachineID-GUID}_DATE_TIME.xml
  2. AEINV_CURRENT.xml
  3. AEINV_PREVIOUS.xml
The AEINV here stands for 'Application Experience Inventory'.
All of the above are XML files containing similar data about installed programs, files, application metadata and IE Addons (toolbars and plugins) information. The AEINV_AMI_WER_{MachineID-GUID}_DATE_TIME.xml file is related to Windows Error Reporting (WER). Here the MachineID-Guid is a value generated and used by WER only. This file existed in Windows 7 too with almost the same contents.

Device Information (new in Windows 8)

In Windows 8, this file also stores machine Device information containing among other things USBSTOR information although not in the detail found elsewhere in the registry. So you don't have device unique serial IDs or container IDs but you do get some descriptive strings like 'Seagate Backup+' or 'Sandisk Cruzer v3'. It does contain some Device GUIDs (although I am unable to match it to anything in the registry or setupapi log yet).

Snippet from AIENV_AMI_WER_xxxxxx xml file showing USBSTOR device info

AEINV_PREVIOUS.xml also existed in same format in Windows 7. AEINV_CURRENT.xml is a new addition in Windows 8, but contains similar data. By analyzing the timestamps and USNJRNL log, it is apparent that periodically the 'PREVIOUS' file gets deleted, then the 'CURRENT' file get renamed to 'PREVIOUS' and a new 'CURRENT' file is created and populated with data. (That was obvious from the file names but I just had to confirm!)

Snippet from the parsed NTFS $USNJRNL.$J file

1 comment:

  1. Yogesh,

    Thanks again for sharing this information publicly...it's a great start to further testing.

    > In my analysis, most of the files (not all) referenced in the 'Files' list here could be found in the 'File' key.

    That's okay, because the Files value lists the volume and MFT file reference, which means that even if the file itself is NOT listed beneath the Files key, as long as the analyst still has access to the system and at least the MFT, they can go back and take a look at that file.

    ReplyDelete