Prefetch

Description:

  • Windows Prefetch files are designed to speed up the application startup process, by pre-loading code pages of commonly used applications.
  • Windows cache manager monitors all files and directories referenced for each process and maps them into a .pf file.
  • Prefetch files are limited to 128 files on Windows XP/Windows 7 and 1024 files on Windows 8 and Windows 10. However for my system running Windows 10.0.18362, my prefetch directory is limited to 250 entries.
  • The file format for Prefetch files is <NameOfExecutable>-<Hash>.pf

Location:

  • C:\Windows\Prefetch
  • Windows Prefetch is disabled by default on Windows Server Operating Systems and any computers running a Solid State hard drive.

Notes:

  • Each .pf will include last time of execution, number of times run, and device and file handles used by the program.
  • Date/Time file by that name and path was first executed:
    • Creation Date of .pf file (~10 seconds).
  • Date/Time file by that name and path was last executed:
    • Embedded in the last run time of .pf file
    • Last Modification date of .pf file (~10 seconds).
    • Windows 8 and Windows 10 will also include last 8 times of execution.

Analysis: A new Windows Prefetch file will be created under the following circumstances:

  • A file is executed for the first time.
  • A file is executed with new command-line parameters.
  • A file is executed from a new directory.
To visualize this in action, let's review how many instances of SVCHOST.exe we have running Task Manager. We can see that SVCHOST.exe is only executing from the C:\Windows\System32 directory as expected, but when we review our C:\Windows\Prefetch directory, well notice multiple entries for SVCHOST.exe. That's because a new prefetch entry was generated for each unique command-line used to initilize SVCHOST.exe.





We can obtain the first and last run time just by analyzing the date created and date modified timestamps of the Prefetch directory within Windows Explorer. The date created is the first run time and the date modified is the last run time. Keep in mind that this doesn't take into account how frequently the prefetch directory has been over-written. Due to limitations placed on the amount of prefetch files that Windows will keep track of, it's possible that a file could generate a new prefetch entry even though it's been executed previously from a historical context.



We can utilize PECmd by Eric Zimmerman, to parse .pf files into a readable format and review the additional meta-data that .pf files have to offer. You can review the command-line options by running PEcmd /?.



To analyze a single prefetch file of interest, run PEcmd.exe -f followed by the location of the .pf file you'd like to parse. You can take advantage of tab-complete to quickly identify whether or not there are multiple entires for a particular file name by tabbing through the various entries.



To analyze an entire directory, run PEcmd.exe -d followed by the location of the directory you'd like to parse. When reviewing a large number of prefetch files, it's helpful to capture the output inside of a .CSV file. You can append --csv "DIRECTORY" --csvf "FILE NAME" to output the analysis results to a location of your choosing.



We can use Timeline Explorer, another helpful utility created by Eric Zimmerman to review the output of our directory analysis. Timeline Explorer can be used to view .CSV and .XLSX files and enables filtering, grouping, sorting out of the box, making analysis much more streamlined in my opinion as opposed to relying on Microsoft Excel.