recent-file-cache
Parses the Windows 7 RecentFileCache.bcf file and retrieves a list of file paths for recently executed programs. This file contains the execution history recorded in the application compatibility cache.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Licensed command |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
zippath=STR- Path to the ZIP file containing the BCF file. Use this to query a BCF file inside a ZIP archive directly.
zipcharset=STR- Character set for ZIP entry names (default:
utf-8)
Target
FILE_PATH- Path to the RecentFileCache.bcf file to query. You can use a wildcard (
*) to specify multiple files. On Windows 7, this file is located in theC:\Windows\AppCompat\Programsdirectory.
Output fields
| Field | Type | Description |
|---|---|---|
_file | string | BCF file name |
file_path | string | Full file path of the executed program |
Error codes
Parse errors
N/A
Runtime errors
| Error code | Message | Description | Post-action |
|---|---|---|---|
| - | cannot load RecentFileCache.bcf file | The BCF file cannot be read | Query aborted |
| - | invalid RecentFileCache.bcf file. magic is {value} | The magic number in the BCF file is incorrect | Query aborted |
Description
The recent-file-cache command parses the specified RecentFileCache.bcf file in binary format and extracts the executed program file path from each entry. The BCF file is written by the Application Compatibility Cache on Windows 7 and stores the paths of programs that have been executed on the system.
The command validates the magic number (0xFEFFEEFF) at the beginning of the file to confirm it is a valid BCF file. An error occurs if the magic number does not match.
To query a BCF file inside a ZIP archive, specify the ZIP file path in the zippath option and specify the path to the BCF file inside the ZIP as the target.
Examples
-
Querying a RecentFileCache.bcf file
recent-file-cache /opt/logpresso/evidence/RecentFileCache.bcfRetrieves all executed program paths from the BCF file at the specified path.
-
Querying a BCF file inside a ZIP archive
recent-file-cache zippath=/opt/logpresso/evidence/artifacts.zip RecentFileCache.bcfRetrieves executed program paths from the
RecentFileCache.bcffile inside a ZIP archive. -
Filtering by a specific path pattern
recent-file-cache /opt/logpresso/evidence/RecentFileCache.bcf | search file_path == "*\\AppData\\*"Filters to show only programs that were executed from the user's AppData directory.