Prefetch

Not present by default on Windows Server Operating Systems.

Windows Prefetch is a performance enhancement feature that enables prefetching of applications to make system boots or applications startups faster. Prefetch files are created whenever a program is executed from a specific path. If the same binary is executed from different locations, separate Prefetch files will be created for each different location. A Prefetch file can be created even if the executable did not successfully run.

Prefetch files are limited to 1024 files in Win8+ (limited to 128 on win7 and earlier)

Prefetch files are created 10 seconds after execution

When an executable is run for the first time, a prefect is created. Can be used to determine what and when an exe was executed. 

C:\Windows\Prefetch\<EXECUTABLE.EXE>-<RANDOM_ID>.pf 
Filename example: POWERSHELL.EXE-022A1004.pf

If output has malicious.exe:SMARTSCREEN = scanned by Defender If output has malicious.exe:ZONE.IDENTIFIER = Downloaded from internet

Prefetch has the following forensic artifacts of interest:

  • File name and size of the binary executed

  • The first and, starting from Windows 8, last eight executions timestamps. - last run time to modified time can indicate how long the execution took to run

  • The Prefecth file NTFS created and last modified timestamps also indicate the first and last time the program was executed.

  • Run count (number of time the binary was executed).

  • List of files and directories accessed during the first ten seconds of execution (including the eventual DLL loaded). The full path to executable file can often be determined from the list of files accessed (duplicate possible if a given binary access another binary with the same name).

Can be disabled/ Enabled in REG: 

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

Values that can be set for “EnablePrefetcher”

0 – Disable Prefetcher
1 – Application launch Prefetching enabled
2 – Boot Prefetching enabled
3 – Application launch and Boot Prefetching enabledDefault value is set to 3

Parsing:

Eric Zimmermans PeCM:

# Parses the specified Prefecth file.
PECmd.exe [-q --csv <CSV_DIRECTORY_OUTPUT>] -f <PF_FILE>

# Recursively retrieves and parses the Prefecth files in the specified directory.
PECmd.exe [-q --csv <CSV_DIRECTORY_OUTPUT>] -d <C:\Windows\Prefetch | C:\ | DIRECTORY>

PreviousRecentFileCacheNextLnk

Last updated