prefetch-file
Parses Windows Prefetch files and retrieves application execution history. Prefetch files are created on Windows XP and later to optimize application startup performance, and are stored in the C:\Windows\Prefetch directory with a .pf extension.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Licensed command |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
Options
zippath=STR- ZIP file path. Specify the ZIP file path when the target file is inside a ZIP archive.
zipcharset=STR- Character set for ZIP entry names (default:
utf-8)
Target
FILE_PATH- Prefetch file path. Use a wildcard (
*) to query multiple files at once. When used with thezippathoption, specify the path inside the ZIP file.
Output fields
| Field | Type | Description |
|---|---|---|
| _file | string | Original Prefetch file name |
| version | integer | Prefetch file version. Windows XP: 17, Windows Vista/7: 23, Windows 8.1: 26, Windows 10: 30 |
| file_size | long | Prefetch file size (bytes) |
| executable_name | string | Executable file name |
| hash | string | Hash value of the executable file path (hexadecimal string) |
| last_run_time | timestamp | Last run time |
| prev_run_times | array | List of previous run times. Available only on Windows 8.1 and later (up to 8 run times). Returns null on earlier versions. |
| run_count | integer | Run count |
| loaded_files | array | List of file paths loaded at execution |
| directories | array | Volume information list. Each item is a map containing path (volume device path), creation_date (volume creation time), and directory_strings (directory string list). |
Error codes
Parse errors
N/A
Runtime errors
| Error code | Message | Description | Post-action |
|---|---|---|---|
| - | cannot read prefetch file [FILE_PATH] | An error occurred while reading or parsing the file | Query aborted |
Description
The prefetch-file command parses Windows Prefetch files and retrieves application execution history. One record is output per Prefetch file.
Prefetch files on Windows 8.1 and later (versions 26 and 30) are stored in MAM compressed format. The command automatically decompresses the LZ Xpress compression before parsing. Uncompressed Prefetch files from earlier versions such as Windows XP (version 17) and Windows Vista/7 (version 23) are also supported.
The loaded_files field contains paths to DLLs, font files, and other files loaded when the application runs. The directories field stores volume directory information in array format.
Examples
-
Querying a single Prefetch file
prefetch-file C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pfRetrieves execution history from the specified Prefetch file.
-
Querying all Prefetch files with a wildcard
prefetch-file C:\Windows\Prefetch\*.pfQueries all Prefetch files in the
Prefetchdirectory. -
Querying Prefetch files inside a ZIP archive
prefetch-file zippath=D:\evidence\artifacts.zip Prefetch\*.pfQueries Prefetch files inside a ZIP archive.
-
Sorting by run count
prefetch-file C:\Windows\Prefetch\*.pf | sort -run_countSorts all Prefetch files in descending order by run count.
-
Querying the list of loaded files for a specific executable
prefetch-file C:\Windows\Prefetch\*.pf | search executable_name == "CMD.EXE" | explode loaded_filesExplodes the list of files loaded when
CMD.EXEran and retrieves each item individually.