Analysis Tools

Viewing the C:\Windows\Prefetch folder directly only shows filenames and basic file timestamps. Specialized tools are required to parse the binary .pf files and extract the rich metadata contained within:

  • WinPrefetchView (Nirsoft):

    • Functionality: A widely adopted, free GUI tool specifically designed for parsing .pf files and presenting the extracted data in a user-friendly, sortable table.

    • Interface: The main window typically lists all found Prefetch entries. Selecting an entry populates a lower pane with detailed information, including all run times, run counts, volume details, and the critical list of files and directories referenced during execution (often referred to as "Indexes" or loaded resources within the tool's interface).

    • ScreenShare Use Cases:

      • Confirming Execution & Timing: Directly verifying if and exactly when a specific .exe was run by examining its .pf file's timestamps (Last Run Time / File Modified Time).

      • Detecting Renamed Executables: Easily spotting .pf files where the executable name part contains a non-standard extension (e.g., MYCHEAT.TMP-HASH.pf), indicating a likely attempt to disguise an executable file.

      • Analyzing Loaded Resources: Examining the list of referenced files in the bottom pane for a specific .pf entry (e.g., checking java.exe.pf for loaded .jar cheat paths, or rundll32.exe.pf for injected .dll paths).

      • Potential Process Hollowing Hint: Observing an empty "Executable Path" field within WinPrefetchView for a specific .pf entry might sometimes correlate with process hollowing, though it requires other corroborating evidence.

  • PECmd (Eric Zimmerman):

    • Functionality: A command-line interface (CLI) tool that is part of the larger Eric Zimmerman Tools suite. It offers more comprehensive and granular Prefetch parsing capabilities than many GUI tools.

    • Usage: Executed via CMD or PowerShell (as Administrator). A typical command is PECmd.exe -d "C:\Windows\Prefetch" --csv C:\OutputPath\, which parses all .pf files in the specified source directory (-d) and outputs the detailed results into CSV files (--csv) in the designated output path (C:\OutputPath\).

    • Output & Use: Generates detailed CSV files which can be loaded into tools like Timeline Explorer or spreadsheet software for advanced filtering, sorting, correlation with other artifacts, and timeline reconstruction. Particularly useful when dealing with corrupted .pf files that GUI tools might fail on, or when needing to programmatically analyze large numbers of entries.

PreviousInformation Stored in Prefetch FilesNextTroubleshooting and Evasion Detection

Last updated