Prefetch
Windows Prefetch is utilized to improve application performance by pre-loading resources when an application is launched. In addition to providing evidence of execution, the Prefetch artifact provides a list of modules/files that have been accessed by the process in the 10 seconds following spawning.
Analysis Value
First ExecutedLast ExecutedEvidence of ExecutionFile PathOperating System Availability
Windows 11
β
Server 2019
β οΈ
Windows 10
β
Server 2016
β οΈ
Windows 8
β
Server 2012
β οΈ
Windows 7
β
Server 2008
β οΈ
Windows Vista
β
Server 2003
β οΈ
Windows XP
β
Windows Server systems do not have Prefetch enabled by default.
Artifact Location(s)
%SystemRoot%\Prefetch
Artifact Parsers
PECmd.exe (Eric Zimmerman)
pf.exe (TZWorks)
Artifact Interpretation
The name of the prefetch file takes on the format: {executable_name}-{hash}.pf, where executable_name is the name of the executable file that was run, and hash provides a hash of the executable's path and the command line used to launch the executable. If the same executable was run with different command line options, or the executable was moved and then run again, this essentially means there will be more than one prefetch entry for it.
Earliest Execution
The creation timestamp of the prefetch file indicates the potential earliest time the executable was run on the system. This is because the amount of prefetch files stored on the system is limited, and older files are rotated out.
Regarding the "potential" earliest/first execution: Because Windows only stores the last 128 entries (Windows XP/Vista/7) or 1024 entries (Windows 8/10), applications that haven't been run after some time may be rolled out of this directory, and re-created when they are run again.
Last Executed
The most recent execution is indicated by the modification timestamp of the prefetch file. Additionally, on Windows 8/10, the last 8 execution times are stored within the prefetch file and can be parsed.
Full Path
The artifact, when parsed, provides the full path to the executable that was run.
Caveats
Analysis Tips
Evidence of Deleted Files
Because the Prefetch artifact stores files referenced by a program, it may be used to identify deleted files as they will persist in this artifact.
Example
In the following example, the SysInternals utility ADExplorer64 was executed from two separate locations, once from the system's disk under C:\Temp and once from a connected USB device, resulting in two prefetch files:
ADEXPLORER64.EXE-9B0EE190.pf: Executed three times from a connected USB deviceADEXPLORER64.EXE-67B06AB8.pf: Executed once on local disk
The files when parsed through PECmd, resulted in the following outputs:
In the case where ADExplorer64 was run from a USB device, note the presence of two volume entries. Additionally, since the executable was run three times, there are additional execution timestamps for these events as well!
Last updated