python-registry icon indicating copy to clipboard operation
python-registry copied to clipboard
verified publisher icon williballenthin

Empty output on win10 version 10.0.16299 amcache.hve files

Open dadodos opened this issue 8 years ago • 5 comments

While running amcache.py against collected Amcache.hve files no entries are parsed out. I encountered this only on Windows 10 10.0.16299 Versions. I'm only assuming that the 10.0.16299 also changed something in this file (I'm referring to the AppCompatCache change). The AmCache.hve is readable with an Registry Tool and contains valid data. Maybe you can have a look. Sidenote: Other tools also break / are empty :)

Breaks with: OS Name: Microsoft Windows 10 Pro OS Version: 10.0.16299 N/A Build 16299

The output is simply the header and thats it:

for@workstation
$ amcache.py Amcache.hve
path|sha1|size|file_description|source_key_timestamp|created_timestamp|modified_timestamp|modified_timestamp2|linker_timestamp|product|company|pe_sizeofimage|version_number|version|language|header_hash|pe_checksum|id|switchbackcontext
for@workstation 
$

Works with: OS Name: Microsoft Windows 10 Pro OS Version: 10.0.15063 N/A Build 15063

dadodos avatar Dec 29 '17 15:12 dadodos

Thats because the format changed quite drastically in the fall creators update, as i explain here:

https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html

I dont know what other tools you tried that broke, but my amcache parser handles the old and new format. any existing parsers need to be updated to handle the new keys and values.

As a side note, my appcompatcache parser is also current with all known release formats afaik

What other tools have you tried?

EricZimmerman avatar Dec 29 '17 15:12 EricZimmerman

Actually I also tried your tool and just send a mail :) I also had issued with AmcacheParser.exe

dadodos avatar Dec 29 '17 15:12 dadodos

Hmm. I haven't seen any email. You can open an issue on my project so we can track it there.

EricZimmerman avatar Dec 29 '17 15:12 EricZimmerman

i extracted my own amcache file with x-ways and things processed fine (this is from v1709 (16299.125), from my machine, as of today) with the latest amcacheparser.exe

how did you extract the amcache.hve file you are having issues with? from the errors, it looks like the hive was not extracted properly

EricZimmerman avatar Dec 29 '17 20:12 EricZimmerman

Again nice timing, Just send you a mail. Let's stick to that mail for your tool. I do not want to spam this thread. Will give you the commands there.

dadodos avatar Dec 29 '17 22:12 dadodos