Hello Reader,
Tonight we reached another conclusion on our road to understanding of the Amcache hive.
Here is what we learned:
Tonight we reached another conclusion on our road to understanding of the Amcache hive.
Here is what we learned:
- As Maxim Suhanov pointed out on twitter for Windows 7 there is a schedule task called 'Microsoft Compatability Appraiser' that runs every night and updates the Amcache
- On Windows 10 that same task exists but the Amcache is updated after GUI executions
- Non executed programs in the Desktop, at least, are added when the scheduled task runs
- If a program is modified and its hash changed the new entry will be updated when the schedule task runs again, not when the program is executed
- There is a registry key in the SOFTWARE hive that Maxim found that appears to contain compressed appcompat data in Windows 7, in Windows 10 I found no entriies
Tomorrow night we check what Windows 7 is doing, validating what Maxim has found and what we have found in Windows 10.
You can watch the video here:
Also Read: Daily Blog #550
Post a Comment