Windows Prefetch files are designed to speed up the application startup process, by pre-loading code
pages of commonly used applications.
Windows cache manager monitors all files and directories referenced for each process and maps them into
a .pf file.
Prefetch files are limited to 128 files on Windows XP/Windows 7 and 1024 files on Windows 8 and Windows
10. However for my system running Windows 10.0.18362, my prefetch directory is limited to 250 entries.
The file format for Prefetch files is <NameOfExecutable>-<Hash>.pf
Location:
C:\Windows\Prefetch
Windows Prefetch is disabled by default on Windows Server Operating Systems.
Notes:
Each .pf will include last time of execution, number of times run, and device and file handles used by
the program.
Date/Time file by that name and path was first executed:
Creation Date of .pf file (~10 seconds).
Date/Time file by that name and path was last executed:
Embedded in the last run time of .pf file
Last Modification date of .pf file (~10 seconds).
Windows 8 and Windows 10 will also include last 8 times of execution.
Analysis: A new Windows Prefetch file will be created under the following circumstances:
A file is executed for the first time.
A file is executed from a new directory.
A file is executed within a hosting application with new command-line parameters.
The command-line is only factored into account for hosting applications such as DLLHOST.EXE, MMC.EXE, RUNDLL32.EXE and SVCHOST.EXE.
To visualize this in action, let's review how many instances of SVCHOST.exe we have running Task Manager. We
can see that SVCHOST.exe is only executing from the C:\Windows\System32 directory as expected, but when we
review our C:\Windows\Prefetch directory, well notice multiple entries for SVCHOST.exe. That's because a new
prefetch entry was generated for each unique command-line used to initilize SVCHOST.exe.
We can obtain the first and last run time just by analyzing the date created and date modified timestamps of
the Prefetch directory within Windows Explorer. The date created is the first run time and the date modified
is the last run time. Keep in mind that this doesn't take into account how frequently the prefetch directory
has been over-written. Due to limitations placed on the amount of prefetch files that Windows will keep
track of, it's possible that a file could generate a new prefetch entry even though it's been executed
previously from a historical context.
We can utilize PECmd by Eric
Zimmerman, to parse .pf files into a readable format and review the additional meta-data that .pf files have
to offer. You can review the command-line options by running
PEcmd /?.
To analyze a single prefetch file of interest, run PEcmd.exe -f followed by the location of
the .pf file you'd like to parse. You can take advantage of tab-complete to quickly identify whether or not
there are multiple entires for a particular file name by tabbing through the various entries.
To analyze an entire directory, run PEcmd.exe -d followed by the location of the directory
you'd like to parse. When reviewing a large number of prefetch files, it's helpful to capture the output
inside of a .CSV file. You can append --csv "DIRECTORY" --csvf "FILE
NAME"
to output the analysis results to a location of your choosing.
We can use Timeline Explorer, another helpful
utility created by Eric Zimmerman to review the output of our directory analysis. Timeline Explorer can be
used to view .CSV and .XLSX files and enables filtering, grouping, sorting out of the box, making analysis
much more streamlined in my opinion as opposed to relying on Microsoft Excel.