Prefetch Files 101

Windows Prefetch Files

Prefetch is a windows mechanism to speed up loading of executable by caching it in the memory before it is actually needed so in effect speeding up the next execution. This started on Windows Vista and utilized up to the recent Windows versions. This is enabled by default on workstation windows OS like Windows 7, 8, 10 but not enabled by default in Windows Servers OS versions.

You can see the frequently running application on your machine if you learn to look in the prefetch folder. The prefetch file is encrypted in hash format depending on the OS version. These files contain the executable run count, run timestamps, execution paths and other resources needed to successfully execute the binary file.

Prefetch Files Characteristics

• The location of prefetch files is C:/Windows/Prefetch folder and has PF file extension

• Take for example in above image the DLLHOST.EXE-8E84E9F3.pf. The prefetch file for DLLHOST.EXE would appear as DLLHOST.EXE-8E84E9F3.pf
• 8E84E9F3 is a hash of the command and path from where the file was executed. This is encrypted with different types of Hashing Functions this varies per Windows version.

Prefetch versions are :

-17: Windows XP and Windows 2003

-23: Vista and Windows 7

-26: Windows 8.1

-30: Windows 10

• Maximum number of prefetch files before deleting the last entry
• Windows XP to Windows 7 =128 entries
• Windows 8 to Windows 10=1024 entries
• On reaching the limit it automatically deletes from the folder.

• Prefetch is enabled by default on Windows 7, 8 and 10 but not

enabled by default on servers.

Contents of a Prefetch Files

Prefetch file is a very juicy forensic artifact as it stores key information regarding the executable application besides helping decrease the booting time of the application. Below are

1. Run Count: The total number of times application runs on your machine.
2. Prefetch Hash: Hash value of the command and path of the executable file.
3. File Size: file size of the prefetch file
4. Version: OS version where executable is run
5. Last Run and Other Run Times: timestamps regarding last run and other run times of the executable (up to 8 last run time recorded for Win10)
6. Directories Referenced: directories of dependency files or binaries loaded along with the executable
7. Files Referenced: files or binaries binaries loaded along with the executable shown in their full path

Forensic Value of Prefetch Files

1. Prefetch lets us know;
2. What are commonly executed or run in a machine?
3. Not only that when it was last run (up to last 9 times run in Win10)
4. What was run along with the executable including their complete execution path for further tracing
5. Prefetch files can be used for forensic analysis of the particular executable or binary.
6. If you are studying malware analysis you can begin to link the executable’s imported dll to the files referenced in the prefetch files. It will begin to make more sense.

Enabling or Disabling Prefetch Files

Enabling or disabling prefetch is done via registry change. Below are the values and respective behaviour for each value.

• The EnablePrefetcher value can set to be one of the following:
• 0 = Disabled
• 1 = Application launch prefetching enabled
• 2= Boot prefetching enabled
• 3 = Application launch and Boot enabled (Optimal and Default setting for workstation windows OS)

How to Decrypt or Parse Prefetch Files Content?

Tune in for my next blog entry as I share you how. Until next time. Happy forensicating!

For video guide see below, please like and subscribe :)