Prefetch Clearing
Description: This involves the removal of Prefetch files (
.pf) from their storage location (C:\Windows\Prefetch). As Prefetch files contain detailed execution history (timestamps, run counts, loaded resources), deleting them eliminates this direct source of evidence.Mechanism:
Manual Deletion: The user navigates to
C:\Windows\Prefetch(requires admin rights) and simply deletes specific.pffiles (e.g.,cheat.exe-HASH.pf) or selects and deletes the entire contents of the folder.Scripting/Tools: Cleanup utilities (like CCleaner, BleachBit) or custom scripts (
.bat,.ps1) can be configured or run to automatically clear the Prefetch folder.
Why Cheaters Use It: To erase the execution history of specific cheats or tools, preventing the ScreenSharer from finding direct proof of recent launches via Prefetch analysis tools like WinPrefetchView.
Detection:
USN Journal (
$UsnJrnl): This is the primary detection method. The deletion of any file, including.pffiles, is meticulously logged in the Journal with aFILE_DELETE | CLOSEreason code, associated with the specific filename (e.g.,CHEAT.EXE-1234ABCD.pf) and theC:\Windows\Prefetchpath. Finding recentFILE_DELETEentries for.pffiles, especially multiple deletions occurring clustered in time shortly before or during the screenshare, is strong evidence of Prefetch clearing.Empty/Incomplete Folder: Visually inspecting the
C:\Windows\Prefetchfolder and finding it completely empty, or suspiciously lacking entries for commonly executed system processes (explorer.exe), recently used applications (AnyDesk.exe), or the game itself (javaw.exe), is a significant indicator of clearing, provided that the SysMain service is running and Prefetching is enabled in the registry.Corroboration: If other artifacts (e.g., BAM, memory strings) show recent execution of a program, but its corresponding
.pffile is missing or has an old timestamp, clearing or tampering (like Read-Only attribute) should be suspected and investigated via the Journal.
Last updated