Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Empty output on win10 version 10.0.16299 amcache.hve files #80

Open
dadodos opened this issue Dec 29, 2017 · 5 comments
Open

Empty output on win10 version 10.0.16299 amcache.hve files #80

dadodos opened this issue Dec 29, 2017 · 5 comments

Comments

@dadodos
Copy link

dadodos commented Dec 29, 2017

While running amcache.py against collected Amcache.hve files no entries are parsed out. I encountered this only on Windows 10 10.0.16299 Versions. I'm only assuming that the 10.0.16299 also changed something in this file (I'm referring to the AppCompatCache change). The AmCache.hve is readable with an Registry Tool and contains valid data. Maybe you can have a look. Sidenote: Other tools also break / are empty :)

Breaks with:
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.16299 N/A Build 16299

The output is simply the header and thats it:

for@workstation
$ amcache.py Amcache.hve
path|sha1|size|file_description|source_key_timestamp|created_timestamp|modified_timestamp|modified_timestamp2|linker_timestamp|product|company|pe_sizeofimage|version_number|version|language|header_hash|pe_checksum|id|switchbackcontext
for@workstation 
$

Works with:
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.15063 N/A Build 15063
@EricZimmerman
Copy link

Thats because the format changed quite drastically in the fall creators update, as i explain here:

https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html

I dont know what other tools you tried that broke, but my amcache parser handles the old and new format. any existing parsers need to be updated to handle the new keys and values.

As a side note, my appcompatcache parser is also current with all known release formats afaik

What other tools have you tried?

@dadodos
Copy link
Author

dadodos commented Dec 29, 2017

Actually I also tried your tool and just send a mail :) I also had issued with AmcacheParser.exe

@EricZimmerman
Copy link

Hmm. I haven't seen any email. You can open an issue on my project so we can track it there.

@EricZimmerman
Copy link

i extracted my own amcache file with x-ways and things processed fine (this is from v1709 (16299.125), from my machine, as of today) with the latest amcacheparser.exe

how did you extract the amcache.hve file you are having issues with? from the errors, it looks like the hive was not extracted properly

@dadodos
Copy link
Author

dadodos commented Dec 29, 2017

Again nice timing, Just send you a mail. Let's stick to that mail for your tool. I do not want to spam this thread. Will give you the commands there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@EricZimmerman @dadodos