Skip to content

Instantly share code, notes, and snippets.

@williballenthin

williballenthin/amcache_py_examples.md

Last active February 13, 2021 15:34
Show Gist options
  • Star 15 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save williballenthin/ee512eacb672320f2df5 to your computer and use it in GitHub Desktop.
Save williballenthin/ee512eacb672320f2df5 to your computer and use it in GitHub Desktop.
Download ZIP
Examples of amcache.py
Raw
amcache_py_examples.md

amcache.py

Download location

https://github.com/williballenthin/python-registry/blob/master/samples/amcache.py

Usage

$ python amcache.py -h

usage: amcache.py [-h] [-v] [-t] registry_hive

Parse program execution entries from the Amcache.hve Registry hive

positional arguments:
  registry_hive  Path to the Amcache.hve hive to process

optional arguments:
  -h, --help     show this help message and exit
  -v             Enable verbose output
  -t             Output in simple timeline format

Data parsed

  • Product name
  • Company name
  • File version number
  • Language code
  • SwitchBackContext
  • File version
  • File size
  • PE header field - SizeOfImage
  • Hash of PE header (unknown algorithm)
  • PE Header field - Checksum
  • File description
  • Linker (compile time) timestamp
  • Last modified timestamp
  • Created timestamp
  • Full path to file
  • Last modified timestamp 2
  • Program ID
  • SHA1 hash of file

Default output (CSV)

$ python amcache.py ~/data\ sets/amcache/Amcache.hve | head

path|sha1|size|file_description|first_run|created_timestamp|modified_timestamp|modified_timestamp2|linker_timestamp|product|company|pe_sizeofimage|version_number|version|language|header_hash|pe_checksum|id|switchbackcontext
C:\Users\Willi\Desktop\SysinternalsSuite\procexp.exe|00000a34a5c547aadea85cf48d0126fb68ac49db4c42|2480312|Sysinternals Process Explorer|2014-11-02 11:45:32.392057|2014-09-15 04:00:30|2014-09-11 00:57:26|2014-09-11 00:57:25.758560|2014-09-01 13:40:54|Process Explorer|Sysinternals - www.sysinternals.com|2633728|16.04|16.04|1033|0101589f8a54657850c6914614cae0bc784df972ed17|2510379|00037848f798b0b4f9f8b1c84b09883005e900000904|72057594138789121
C:\Users\Willi\Desktop\SysinternalsSuite\Procmon.exe|00001eaa26b6117f1a76fc0f94a96ed8b1103b8d8112|2510528|Process Monitor|2014-11-02 11:45:32.485809|2014-09-15 04:00:30|2014-03-06 16:53:26|2014-03-06 16:53:26.172102|2014-02-21 13:53:31|Sysinternals Procmon|Sysinternals - www.sysinternals.com|2547712|3.10|3.10|1033|0101f347ad585a1b5e8161b880a7cd702ea6ace1fd38|2512853|0003a75f5c4145827f05d56f1d90c7f1659500000904|72057594138658048
C:\Windows\SysWOW64\msvcr71.dll||||2014-09-14 01:22:34.132875|1601-01-01 00:00:00|1601-01-01 00:00:00|2003-02-21 11:42:22.018431|1969-12-31 19:00:00|||||||||0000803826ad3f9b86341baca72ee8eda4fb00000904|

Timeline output (-t)

$ python amcache.py ~/data\ sets/amcache/Amcache.hve -t | tail

2014-11-02 11:45:32.892056|first_run|C:\Users\Willi\Desktop\rrs\tools\pslist.exe|00004273b7bd38fc1f203ccc5fdfa1f7331b2683f001
2014-11-02 11:45:32.970181|first_run|C:\Users\Willi\Desktop\rrs\tools\robocopy.exe|00007d8dfdb209621b5e2700842fd301c74c3a3896ad
2014-11-02 11:45:33.063927|first_run|C:\Users\Willi\Desktop\rrs\tools\Listdlls.exe|0000cf1d18cf4ee232052dfd7f1a6100e86d804e1b0b
2014-11-02 11:45:33.142050|first_run|C:\Users\Willi\Desktop\rrs\tools\Tcpvcon.exe|00004532822ae9cc083115c32e6aa9c4e08c3d673575
2014-11-02 11:45:33.345173|first_run|C:\Users\Willi\Desktop\rrs\tools\md5deep.exe|0000ed95b93cb6152b337c42947437ae64d524931218
2014-11-02 11:45:33.423298|first_run|C:\Users\Willi\Desktop\rrs\tools\mkdir.exe|0000527cbcd51b01d37254b504278093f49c6a7b233c
2014-11-02 11:45:33.501419|first_run|C:\Users\Willi\Desktop\rrs\win7_cmd.exe|00007284a768e31b82eea48679b9ab8e2e27232b488e
2014-11-02 11:45:33.595171|first_run|C:\Users\Willi\Desktop\rrs\tools\logonsessions.exe|00007c762173d3c7f4366371e2a475b8b5bafb5bf64f
2014-11-02 11:45:33.704550|first_run|C:\Users\Willi\Desktop\rrs\tools\handle.exe|0000ce715d9677dbb9a56cf07d00b4847a12b5f0ed21
2014-11-02 11:45:33.813917|first_run|C:\Users\Willi\Desktop\rrs\tools\winpmem.exe|0000b6bc78e75a9113ad1b9f32b0fef28b516a32f240

Dependencies (install via pip)

  • argparse
  • unicodecsv
  • python-registry
@1UC1F3R616
Copy link

I am getting below error

kush@kali:~/Desktop/sf_kali/forensics$ python3 amcache.py Amcache.hve -t
Traceback (most recent call last):
  File "amcache.py", line 225, in <module>
    main(argv=sys.argv)
  File "amcache.py", line 213, in main
    w.writerow(["timestamp", "timestamp_type", "path", "sha1"])
  File "/usr/lib/python3/dist-packages/unicodecsv/py3.py", line 28, in writerow
    return self.writer.writerow(row)
  File "/usr/lib/python3/dist-packages/unicodecsv/py3.py", line 15, in write
    return self.binary.write(string.encode(self.encoding, self.errors))
TypeError: write() argument must be str, not bytes

@williballenthin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment