Windows Prefetch Parser (pf)

Introduction

pf is a command line tool that parses Windows prefetch files. Using the definition in Wikipedia, "the prefetcher is a component of versions of Microsoft Windows starting with Windows XP... that speeds up the Windows boot process and shortens the amount of time it takes to start up programs. In Windows Vista, SuperFetch and ReadyBoost extend upon the prefetcher and attempt to accelerate application and boot launch times..." [1]. A good source for discussion on the internals of the mechanics of prefetching is given in the MSDN article written by Mark Russinovich and David Solomon [2].

The prefetcher behavior is controlled by the Windows registry value "EnablePrefetcher" located in the following registry path: HKLM\ System\CurrentControlSet\Control\Session\Manager\ Memory Management\ PrefetchParameters. The value for "EnablePrefetcher" can have one of the following values [1]:

Value Meaning
0 Disabled
1 Application launch prefetching enabled
2 Boot prefetching enabled
3 Application launch and boot enabled (default)

From a forensics standpoint, the prefetch file offers the analyst some information about the applications that were executed, the location of the application and the frequency that it was run. Specifically, the prefetch file contains information such as: (a) filename, (b) file location, (c) timestamps related to the prefetch entry (created, modified and accessed), (d) the number of times a certain application was run, (e) the last run time, (f) which modules were loaded with the application, and (g) which volumes were used in access the application or the modules used.

How to use pf

pf has a number of command line switches. The screenshot below shows the available options. There are two available options that tell pf how much data to display to the analyst. The first is the the default mode, which is the verbose option and displays as much information that pf can parse. The second is a variety of CSV options that output one line per prefetch file.

The one-line-per-entry behavior will output the (a) application name and path, (b) number of times the application was ran, (c) the last time run, and (d) the prefetch file MAC timestamps. The verbose option includes all the same information the default option outputs, plus module dependencies loaded and volumes used to run the application.

pf's menu/options

When desiring detailed data on a certain prefetch entry, the verbose option is the best choice, without using the CSV option. The output will be unstructured text where multiple lines will be used for one prefetch entry. Thus the output of the prefetch record can be large. Below is an example of how much data is outputted on a typical prefetch file in verbose mode.

pf's verbose output

To analyze many prefetch files in a directory, the -pipe switch is available. For example, running this on the c:\Windows\Prefetch directory is a common use of this option. The screenshot shows this mode using the default output (not verbose) and using the -csv option:

pf's csv output using a pipe

When analyzing Windows 8 prefetch files, there are extra timestamps available which are extracted. Below is what this output looks like:

pf's prevtimes option

For more information

The user's guide can be viewed here

If you would like more information about pf, contact us via email.

Downloads

32-bit Version64-bit Version
Windows:pf32.v.1.20.win.zippf64.v.1.20.win.zipmd5/sha1
Linux:pf32.v.1.20.lin.tar.gzpf64.v.1.20.lin.tar.gzmd5/sha1
Mac OS X:pf.v.1.20.osx.tar.gzpf.v.1.20.osx.tar.gzmd5/sha1
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.