Evidence of Execution: Windows Prefetch Forensics

 

Prefetch is a performance optimization mechanism introduced by Microsoft in Windows XP to accelerate system boot sequences and application launch times. From a digital forensics perspective, Prefetch files constitute a high-value source of execution artifacts. To fully appreciate their evidentiary significance, it is essential to understand the underlying Windows memory management architecture.

The Windows Cache Manager, a core subsystem of the memory manager, monitors file system I/O operations performed by processes during initialization. It specifically traces the first approximately two minutes of boot-related activity and the initial ten seconds of non-boot application execution. These traces are subsequently processed in conjunction with the Task Scheduler to generate Prefetch files (.pf). Upon subsequent system boots or application launches, the Cache Manager leverages these files as predictive blueprints to optimize data retrieval from disk, thereby reducing load latencies.

On Windows 7 and earlier versions, the Prefetch directory is architecturally constrained to a maximum of 128 files. Beginning with Windows 8, this limit was expanded to 1024 files. Prefetching is enabled by default on Windows client (workstation) operating systems to enhance user experience; however, it may be selectively disabled. Such disabling appears less prevalent in Windows 8 and later versions.

Forensic Value of Prefetch Files

Prefetch files are canonically named by concatenating the executable filename, a hyphen delimiter, and a 32-bit hexadecimal hash value computed from the executable’s full path (and, in the case of hosting processes, associated command-line arguments). These artifacts provide compelling evidence of program execution, even in scenarios where the original binary has been deleted or renamed. Each Prefetch file encapsulates critical metadata, including:

• The total run count of the associated executable.
• The original execution path.
• Timestamps documenting execution history (up to eight run times on Windows 8 through Windows 11, yielding up to nine discrete execution events when correlated with the file system creation timestamp).

Additionally, Prefetch files enumerate dependencies accessed during the monitored execution window—including DLLs and other supporting files—and record the volume serial number of the hosting drive. This information enables investigators to corroborate execution events, reconstruct program provenance, and identify anomalous binaries.

The internal structure of Prefetch files has evolved across Windows versions. Files from Windows XP through Windows 8 utilize the uncompressed "SCCA" signature (hex: 0x53 0x43 0x43 0x41). Starting with Windows 8.1, the format transitioned to the compressed "MAM" signature (hex: 0x4D 0x41 0x4D 0x04). Forensic practitioners should note that decompression of MAM-formatted files preserves the full evidentiary payload, including execution timestamps and file references.

Hexadecimal view of Windows 7 Prefetch file

Hexadecimal view of Windows 10 Prefetch file

Prefetch entries are primarily generated for executables launched interactively via Windows Explorer, shortcuts, or the Run dialog. Executions initiated through command-line interfaces (e.g., cmd.exe or PowerShell) are typically not captured. Investigators should scrutinize instances of multiple Prefetch files sharing the same executable name, as these generally indicate execution from disparate paths. For “hosting” processes such as svchost.exe, dllhost.exe, rundll32.exe, or backgroundtaskhost.exe, the hash incorporates both path and command-line parameters, resulting in multiple legitimate entries.

Deployment of live response tooling on a target system will generate new Prefetch files, potentially triggering the deletion of older entries due to directory capacity constraints. Consequently, immediate prioritization and collection of the C:\Windows\Prefetch\ directory is strongly recommended to mitigate evidence loss.

Registry Controls and Configuration Verification

The status of Prefetch functionality is governed by two primary registry keys that should be examined when Prefetch artifacts are absent:

1. SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
   • EnablePrefetcher value:
     • 0: Disabled
     • 1: Application launch prefetching enabled
     • 2: Boot prefetching enabled
     • 3: Both application launch and boot prefetching enabled
2. SYSTEM\CurrentControlSet\Services\SysMain
   • Start value (service startup type):
     • 0–2: Automatic
     • 3: Manual
     • 4: Disabled

On a live Windows system, forensic examiners should promptly inspect the Prefetch configuration through the following registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

Within this key, the EnablePrefetcher DWORD value governs Prefetch behavior and may assume one of the following states:

• 0: Prefetching fully disabled
• 1: Application launch prefetching enabled only
• 2: Boot prefetching enabled only
• 3: Both application launch and boot prefetching enabled (default on client workstations)

A non-default value (particularly 0) warrants careful documentation, as it may indicate intentional tampering or administrator-level optimization (e.g., on SSD-equipped systems).

Additionally, the associated SuperFetch service (renamed SysMain in Windows 10 and later versions) should be evaluated via the Services management console:

1. Navigate to Control Panel → System and Security → Administrative Tools → Services.
2. Locate the SuperFetch (or SysMain) service.
3. Double-click the service and review the Startup type on the General tab:
• Automatic (or Automatic (Delayed Start)): Normal operational state.  
• Manual.
• Disabled: Indicates suppression of the service.

Cross-verification between the EnablePrefetcher registry value and the SysMain service startup configuration is essential. Discrepancies or disabled states should be flagged as potential anti-forensic activity and correlated with other artifacts (e.g., absence of Prefetch files, recent Registry modifications, or event log entries related to service control).

This information supplements the broader Prefetch analysis by enabling examiners to assess whether Prefetch-related evidence is expected to be present or has been deliberately disabled on the subject system.

Certain Windows versions also maintain SuperFetch data within the same directory as Ag*.db files (e.g., AgAppLaunch.db). While often redundant with Prefetch information and parsed by fewer specialized tools, SuperFetch may provide supplementary context in targeted examinations.

Timestamp Interpretation for Timeline Construction

File system timestamps on Prefetch files offer valuable execution chronology when interpreted with appropriate caveats:

• First known execution: Correlates closely with the file creation timestamp (offset approximately –10 seconds).
• Last execution: Aligns with the last modification timestamp (offset approximately –10 seconds). More precise run times (up to eight) are embedded within the Prefetch file itself on modern Windows versions.

The ~10-second offset arises because the Prefetch service continues monitoring file accesses for the initial ten seconds of execution before committing data to disk. This delay does not affect embedded timestamps. Analysts must recognize that Prefetch files may age out of the directory due to the finite capacity (128 files on Windows 7 and earlier; 1024 thereafter). Subsequent re-execution generates a new Prefetch file with a later creation time, potentially obscuring earlier activity. Comprehensive timeline validation therefore requires cross-referencing with additional execution artifacts (e.g., ShimCache, Amcache, BAM/DAM, SRUM, event logs, and Registry Run keys).

Important Caveat: The existence of a Prefetch file confirms an execution attempt, not necessarily successful completion. Corroboration with secondary artifacts remains essential, particularly when analyzing potentially malformed or malicious binaries.

This refined analysis underscores Prefetch files as a cornerstone artifact in Windows digital forensics, offering reliable, multi-faceted evidence of program execution suitable for timeline reconstruction, malware detection, and insider threat investigations.

Prefetch Parsing Tools: PECmd and WinPrefetchView

PECmd.exe, developed by Eric Zimmerman, is a robust command-line utility for parsing Windows Prefetch artifacts. It supports processing of individual Prefetch files via the -f switch or recursive directory traversal (including subdirectories) using the -d option.

When reviewing PECmd output, certain entries are automatically highlighted for investigator attention—specifically lines containing .exe references (including full execution paths) and paths involving temp or tmp directories. This visual cue can be extended through the -k switch, which accepts a comma-separated list of additional keywords or strings to highlight (e.g., -k "SYSWOW64,APPDATA"). Enclose the keyword list in double quotes.

Prefetch files have utilized compressed "MAM" format since Windows 8.1. PECmd relies on the Windows API for decompression and therefore must be executed on a Windows 8.1 or later system to successfully parse modern Prefetch files.

When processing a single Prefetch file (-f), PECmd first displays the file system timestamps of the .pf file itself (Creation and Modification times). These timestamps may be altered depending on collection methodology and should be interpreted cautiously. Subsequent metadata includes the executable name, Prefetch hash, file size, and internal Prefetch version. Core parsed elements derived from the file’s internal structure include:

• Run Count: Total executions recorded.
• Last Run Timestamps: A single timestamp on Windows 7 and earlier; up to eight timestamps on Windows 8 and later versions.
• Volume, Directory, and File References: Captured during the initial ~10 seconds of application execution.

The example output below illustrates the characteristic ~10-second offset between the embedded "Last Run" time and the file system Modified timestamp, consistent with Prefetch service behavior.

When processing an entire directory (-d), PECmd generates two primary outputs:

• A comprehensive CSV file containing one row per Prefetch file with key metadata (ideal for timeline filtering, run-count analysis, or high-volume searches).
• A Timeline view that extracts and chronologically sorts all embedded execution timestamps across the dataset.

The timeline output focuses exclusively on embedded timestamps and does not automatically incorporate the file creation time (which can represent the first known execution). Windows 8+ systems, supporting up to 1024 Prefetch files each with up to eight run times, provide investigators with significant temporal resolution for establishing execution sequences and correlations.

WinPrefetchView offers an effective graphical interface for rapid Prefetch analysis. After directing the tool to a Prefetch directory (from either a live system or a mounted forensic image), it populates a tabular view displaying the following:

• File system timestamps (Created and Modified)
• Run Counter
• Last Run Times (including extraction of up to eight embedded timestamps on modern Windows versions)
• Associated file references (DLLs, modules, and other accessed files) in a lower pane when a specific entry is selected.

NirSoft tools are designed to execute on live systems and will initially populate with the host machine’s Prefetch data. To analyze data from a forensic image or triage collection:

• Navigate to Options → Advanced Options and specify the target Prefetch directory.

Many NirSoft utilities (including WinPrefetchView) automatically convert timestamps from UTC to local system time. To preserve forensic integrity, maintain the analysis workstation in UTC time zone. Alternatively, force GMT/UTC display via Options → Show Time in GMT.

These tools, when used in tandem—PECmd for scripted, detailed, or bulk analysis and WinPrefetchView for intuitive visualization—enable examiners to efficiently extract high-fidelity execution evidence, identify anomalous program activity, and construct robust timelines in Windows digital forensic examinations.

Limitations of Prefetch File Analysis

While Prefetch files represent a valuable source of execution artifacts in Windows digital forensics, they are subject to several inherent limitations that forensic examiners must carefully consider when incorporating them into timelines or attribution assessments.

• Finite Storage Capacity: The Prefetch directory is limited to a maximum of 1024 files on Windows 8 and later systems (128 on Windows 7 and earlier). Once this threshold is reached, older entries are automatically overwritten using a least-recently-used algorithm. This can result in the permanent loss of historical execution evidence, particularly for applications that have not run recently.
• Lack of Execution Context: Prefetch records that an executable was launched but provides no attribution regarding the initiation mechanism—whether triggered by direct user interaction, a scheduled task, service startup, or automated malware persistence techniques. This absence of contextual metadata can lead to misinterpretation of execution events.
• Service Disablement on Modern Hardware: On systems equipped with solid-state drives (SSDs), the Prefetch (and SuperFetch/SysMain) service is frequently disabled—either manually or, in some configurations, automatically—due to the negligible performance benefit provided by prefetching on high-speed storage. Consequently, forensic examiners may encounter environments, particularly newer Windows 10 and Windows 11 installations, with few or no Prefetch artifacts present.
• Execution Metadata Only: Prefetch files capture file system interaction metadata (executable name, path, run count, timestamps, accessed modules, and volume information) but offer no insight into the program's runtime behavior, actions performed, or malicious intent. A Prefetch entry for a known malicious binary does not distinguish between benign and malicious activity (e.g., ransomware execution).
• Version-Specific Format Variations: Prefetch file structure has evolved across Windows versions. Older files (Windows XP through Windows 8) utilize the uncompressed "SCCA" signature, while Windows 10 and later employ compressed "MAM" format. This evolution can cause compatibility issues with outdated parsing tools that fail to properly decompress or interpret modern Prefetch files.
• Anti-Forensic Evasion Techniques: Sophisticated adversaries can deliberately suppress Prefetch evidence through registry modifications (EnablePrefetcher value set to 0), service disablement, execution from live operating environments (e.g., bootable media), or post-execution deletion/cleanup of .pf files.
• Restricted Capture Scope: Prefetch entries are generated primarily for executables launched interactively via Windows Explorer, shortcuts, or the Run dialog. Executions initiated through command-line interpreters (cmd.exe, PowerShell, etc.) are generally not recorded, creating significant gaps in coverage for many attacker tradecraft scenarios.

Due to these constraints, Prefetch analysis should never be relied upon in isolation. A multi-artifact correlation approach is essential—integrating Prefetch findings with complementary sources such as ShimCache (AppCompatCache), Amcache, BAM/DAM registry keys, System Resource Usage Monitor (SRUM), Windows Event Logs, Security-Auditing logs, and Registry Run keys. This layered methodology significantly enhances the reliability and completeness of execution timelines and program activity reconstructions.

Understanding these limitations enables forensic practitioners to apply appropriate weighting to Prefetch evidence and avoid over-reliance on this artifact class during investigations.