Prefetch
Not present by default on Windows Server Operating Systems.
Windows Prefetch is a performance enhancement feature that enables prefetching of applications to make system boots or applications startups faster. Prefetch files are created whenever a program is executed from a specific path. If the same binary is executed from different locations, separate Prefetch files will be created for each different location. A Prefetch file can be created even if the executable did not successfully run.
Prefetch files are limited to 1024 files in Win8+ (limited to 128 on win7 and earlier)
Prefetch files are created 10 seconds after execution
When an executable is run for the first time, a prefect is created. Can be used to determine what and when an exe was executed.
If output has malicious.exe:SMARTSCREEN = scanned by Defender
If output has malicious.exe:ZONE.IDENTIFIER = Downloaded from internet
Prefetch has the following forensic artifacts of interest:
File name and size of the binary executed
The first and, starting from Windows 8, last eight executions timestamps. - last run time to modified time can indicate how long the execution took to run
The
PrefecthfileNTFScreated and last modified timestamps also indicate the first and last time the program was executed.Run count (number of time the binary was executed).
List of files and directories accessed during the first ten seconds of execution (including the eventual
DLLloaded). The full path to executable file can often be determined from the list of files accessed (duplicate possible if a given binary access another binary with the same name).
Can be disabled/ Enabled in REG:
Values that can be set for “EnablePrefetcher”
Parsing:
Last updated