Prefetch
Prefetch is a feature on Windows workstation operating systems that maintains metadata related to application execution.
When an application is launched for the first time, a Prefetch file (.pf) is created in the Prefetch directory (e.g., C:\Windows\Prefetch\). Prefetch observes an application's launch behavior in approximately the first ten (10) seconds of execution, specifically files and folders the application references. The information is used to expedite future application launches.
This feature is not available on Windows server operating systems by default. The feature is controlled by the EnablePrefetecher registry value located at:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters.
Analysis
Prefetch files are located in %SYSTEMROOT%\Prefetch\. The files are named in the format <EXECUTABLE NAME>-<HASH>.pf.
The following information is generally available for each Prefetch file:
- Executable Name
- Hash (calculated using full path and command line argments)
- File size
- Run count
- Last run times (up to 9)
- Resources references (directories and files)
- Disk volume name and serial number
The bulk of valuable Prefetch information is present within the file and requires tools to parse. It is possible to see the first and last known execution timestamps by looking at the filesystem creation and modification timestamps, respectively.
Recall that Prefetch observes an application's launch behavior for approximately ten (10) seconds following execution. The information is serialized to the Prefetch file after the observation period. Thus, subtract ten (10) seconds from the filesystem timestamps for a more accurate execution timestamp.
The internal timestamps in the Prefetch file are accurate and do not require adjustment.
This results in up to nine (8) historical execution timestamps for each Prefetch file:
- The file system creation time indicates the first known execution time (-10 seconds)
- The file system modification time indicates the last known execution time (-10 seconds)
- Embedded within the Prefetch file, there is a last run time and up to seven (7) historical execution timestamps
Investigation Considerations
Prefetch files can provide a wealth of information for investigations when the data is parsed and normalized.
Windows 8 and newer operating systems maintain up to 1024 Prefetch files. Each with up to eight (8) historical execution timestamps. That is potentially over 8,000 timestamps.
Prefetch files remain on the system even if the executable itself no longer exists on the system. Or if an executable was ran from a removable medium (i.e., a flash drive), the Prefetch file would remain on the host system with data indicating the volume information of the removable medium.
Consider prioritizing the collection of the Prefetch directory when running live response tools, as you you may inadvertendly delete older Prefetch files. This is especially true on Windows 7 and older systems as only 128 Prefetch files are maintained.