Empty output on win10 version 10.0.16299 amcache.hve files #80
Description
While running amcache.py against collected Amcache.hve files no entries are parsed out. I encountered this only on Windows 10 10.0.16299 Versions. I'm only assuming that the 10.0.16299 also changed something in this file (I'm referring to the AppCompatCache change). The AmCache.hve is readable with an Registry Tool and contains valid data. Maybe you can have a look. Sidenote: Other tools also break / are empty :)
Breaks with:
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.16299 N/A Build 16299
The output is simply the header and thats it:
for@workstation
$ amcache.py Amcache.hve
path|sha1|size|file_description|source_key_timestamp|created_timestamp|modified_timestamp|modified_timestamp2|linker_timestamp|product|company|pe_sizeofimage|version_number|version|language|header_hash|pe_checksum|id|switchbackcontext
for@workstation
$
Works with:
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.15063 N/A Build 15063