Prefetch ( C:\Windows\Prefetch )

• • Purpose: Originally conceived by Microsoft as a performance enhancement feature, Prefetching aims to speed up application launch times. It monitors the files and data an application accesses during its initial startup phase and pre-loads this information into memory the next time the application is launched. Forensically, however, the data stored within Prefetch files (.pf) serves as a primary and highly valuable indicator of program execution.

  • Location: Prefetch files are stored in a dedicated system folder: C:\Windows\Prefetch. Direct access is typically achieved via the Run dialog (Win+R) by typing prefetch and pressing Enter (requires administrator privileges).

  • File Format & Naming: Windows creates a .pf file for many executables (.exe) the first few times they are run. Each file follows a specific naming convention: EXECUTABLENAME.EXE-HASH.pf.

    • EXECUTABLENAME.EXE: The name of the executable that was launched.

    • HASH: An 8-character hexadecimal hash calculated based on the path from which the executable was run. This means running the same .exe from different locations (e.g., Desktop vs. Downloads) will generate distinct .pf files with different hashes.

  • Data Stored within .pf Files: Each Prefetch file contains a wealth of metadata, invaluable for analysis:

    • Executable Name: The name of the program launched.

    • Executable Path Hash: The hash indicating the execution path.

    • Run Count: The total number of times the application has been executed from that specific path.

    • Last Execution Timestamp: This is a critical piece of data, indicating the precise date and time the application was last run from that path. Crucially, the Date Modified timestamp of the .pf file itself directly reflects this last execution time.

    • Previous Execution Timestamps: Prefetch files store the timestamps of up to the 8 most recent previous executions, providing a short-term execution history.

    • Volume Information: Details about the disk volume (drive letter, volume name, serial number, volume creation date) where the executable resided during its last run.

    • Referenced Directories & Files: A list of the specific directories and files (including DLLs and other resources) that the executable accessed during its initial startup phase (typically the first 10 seconds).

  • Analysis Tools: While the .pf files are binary, several tools facilitate their parsing and analysis:

    • WinPrefetchView (Nirsoft): A widely-used, free GUI tool that parses .pf files and displays the extracted information in an easily readable format. The top pane lists the Prefetch entries, and the bottom pane shows details for the selected entry, including the crucial list of referenced files and directories loaded during startup. This is particularly useful for checking if a legitimate process (like java.exe) loaded a suspicious file (like a .jar cheat).

    • PECmd (Eric Zimmerman): A powerful command-line tool offering more in-depth Prefetch analysis capabilities. It can extract all available metadata and is useful when WinPrefetchView encounters errors or when more granular analysis and correlation (e.g., via CSV output to Timeline Explorer) are needed.

    • LastActivityView (Nirsoft): This tool aggregates data from multiple sources, including Prefetch files, presenting a chronological view of system activity.

  • Dependencies, Bypasses, and Detection Nuances:

    • Service Dependency: Prefetching relies on the SysMain service (previously known as Superfetch). If this service is stopped, Prefetch files may not be created or updated. Its status can be checked via an administrative Command Prompt using sc query sysmain. A stopped service during a check is highly suspicious.

    • Registry Control: The feature's operational state (enabled/disabled levels) is controlled by the registry value EnablePrefetcher located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters. A value of 0 typically indicates Prefetching is completely disabled, which is also suspicious if not done for a legitimate reason (e.g., specific SSD optimization guides, though less common now).

    • Permissions Bypass (cacls): Attackers might modify the permissions of the C:\Windows\Prefetch folder (e.g., using cacls or icacls commands) to deny write access, preventing the creation or updating of .pf files. Evidence of such permission changes can often be found in the USN Journal ($UsnJrnl) by looking for security change events related to the Prefetch directory.

    • Hidden Files: Individual .pf files can be hidden using standard file attributes. To view potentially hidden Prefetch files, use an administrative Command Prompt: dir /ah C:\Windows\Prefetch.

    • Renamed Extensions & Non-Exes: Prefetch primarily logs the execution of .exe files.

      • If an executable is renamed (e.g., cheat.exe to cheat.tmp) and executed using specific methods (like Start-Process in PowerShell), Prefetch will still often create an entry, but the filename part will reflect the renamed extension (e.g., CHEAT.TMP-HASH.pf). Finding such entries is a strong indicator of evasion.

      • Executing .jar files typically generates Prefetch entries for the Java runtime (java.exe or javaw.exe). Analyzing the referenced files list within these Java Prefetch entries is crucial for identifying the specific .jar file that was loaded.

      • DLL injections might create Prefetch entries for the host process used (e.g., rundll32.exe, regsvr32.exe) or the injector application itself. Again, analyzing the referenced files within these .pf entries can reveal the loaded DLL.

    • Process Hollowing Indication: In some cases, observing a Prefetch entry in WinPrefetchView where the "Executable Path" field is empty or null might be an indicator of process hollowing techniques having been used, although this is not definitive on its own.