While attending the annual Texas Cyber Summit recently, I watched a talk by Marcus Guevara of Recon Infosec titled “The Best Free Resources to Get Started in Incident Response.”  One of the things he mentioned in that talk is Windows Prefetch – something already built into Windows by default.

I had never heard of Prefetch before this talk but the premise was really interesting.  Using information that is available within Prefetch, you can begin to establish a timeline of application usage (up to an extent) on a Windows system.

My mind immediately went to a recent issue I investigated where a spear phishing attack successfully convinced several members of senior management to not only open an email and click on a link, but also download and open a PDF file.  I also thought back to several past incidents where users had encountered the classic virus scam pop-up, trying to convince them that their system was infected.

I come from a networking background so my first inclination is usually to look at our firewall or our SIEM to see what IPs are connecting to and from the system.  Next I usually look at Windows event logs from that system – again through the SIEM.  Using Prefetch information, though, it sounded like I would be able to gain additional insight directly from the endpoint itself.

What Even Is Prefetch Anyway?

Prefetch was introduced back in ye olden times with the release of Windows XP in the year 2001.  (If you are reading this and you remember when Windows XP was released, please remember to stand up and move around every once in a while before your back locks up…like mine will shortly.)

The purpose of Prefetch was to speed up the boot-up of the system and reduce the amount of time it took applications to load.  It does this by storing some basic information about the resources needed by commonly-used executable binaries run on the system into a file so that those resources can be pre-emptively loaded into memory before they are needed.

Side note:  Within the context of this article, I am referring exclusively to Windows Prefetch.  Prefetch as a concept is used in several other contexts throughout other environments (such as software engineering), and I won’t be referencing any of those here.

Configuring Prefetch

The configuration for Prefetch is accomplished with a key value stored in the following Windows registry hive:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

The default configuration for the EnablePrefetcher key is 3.  This enables Prefetch for both boot-up and application use.  You can modify the behavior of Prefetch by double-clicking on EnablePrefetcher and changing the Value data field to one of the following values:

What and Where Are Prefetch Files?

When Windows creates a Prefetch file, that file is saved to the %systemroot%/Prefetch folder (the common literal path for this is C:\Windows\Prefetch).  You can quickly reach this location by opening a Run window by pressing the Windows key + R, then in the Open: field type in prefetch and click OK.

These files have a .pf file extension and are stored in an encrypted format, so they are not immediately readable with something like Notepad – they have to be opened with specific tools.

Beginning with XP, Windows was able to store up to 128 Prefetch files.  Once Windows 8 came along this number was upped to 1,024 Prefetch files.  Once that limit is reached, Windows will automatically delete files from the Prefetch folder.

The name of each Prefetch file will begin with the name of the binary as well as an eight-character hash of the location where the file was executed from.  As an example, here are a few Prefetch file names from my system:

     CHROME.EXE-5A1054B7.pf
     CMD.EXE-4A81B364.pf
     NOTEPAD.EXE-D8414F97.pf

It may also be that a binary with the same name is running from a different location, such as C:\temp.  This could be a sign of something malicious running on the system.  Aside from decrypting the file itself or running a script to reverse the hash, there also exists a pre-generated lookup table of Prefetch hashes which is available from the Hexacorn blog here.

Prefetch File Contents

Given that Prefetch files are intended to reduce the amount of time that it takes for applications to load, you probably wouldn’t be surprised to learn that they contain a list of directories and files referenced by a given executable, with their full file paths.

Slightly more useful, though, is metadata on the executable itself – its file size, creation date, modified date, date last accessed, date last run, an eight-character hash, and the number of times the executable has been run.

Below is an example of a Prefetch file that I got off of a fresh Windows 11 virtual machine that I spun up for this:

Created on: 2023-10-22 02:53:06
Modified on: 2023-10-22 02:53:06
Last accessed on: 2023-10-22 02:54:00

Executable name: NOTEPAD.EXE
Hash: 2486F8A8
File size (bytes): 128,820
Version: Windows 10 or Windows 11

Run count: 1
Last run: 2023-10-22 02:53:04

Volume information:

#0: Name: \VOLUME{01d9eb913362ed3f-2c339f40} Serial: 2C339F40 Created: 2023-09-20 07:08:04 Directories: 39 File references: 198

Directories referenced: 39

00: \VOLUME{01d9eb913362ed3f-2c339f40}\PROGRAM FILES
01: \VOLUME{01d9eb913362ed3f-2c339f40}\PROGRAM FILES\WINDOWSAPPS
    *** Output omitted for brevity ***
37: \VOLUME{01d9eb913362ed3f-2c339f40}\WINDOWS\SYSTEM32\EN-US
38: \VOLUME{01d9eb913362ed3f-2c339f40}\WINDOWS\WINSXS\AMD64_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.22621.2215_NONE_270D72677387DFC3

Files referenced: 142

00: \VOLUME{01d9eb913362ed3f-2c339f40}\WINDOWS\SYSTEM32\NTDLL.DLL
01: \VOLUME{01d9eb913362ed3f-2c339f40}\WINDOWS\SYSTEM32\C_1252.NLS
    *** Output omitted for brevity ***
140: \VOLUME{01d9eb913362ed3f-2c339f40}\WINDOWS\SYSTEM32\WINDOWS.UI.CORE.TEXTINPUT.DLL
141: \VOLUME{01d9eb913362ed3f-2c339f40}\WINDOWS\SYSTEM32\TWINAPI.DLL

Tools for Analyzing Prefetch Files

One of the most widely-recommended tools for working with Prefetch files is called Prefetch Explorer Command line (PECmd) by Eric Zimmerman.  PECmd is a command line tool (I bet you never would have guessed that by the name) which is extremely useful for processing .pf extension files.  You can use PECmd to parse single files or entire directories, and you can output the results of this to multiple formats such as JSON, HTML, and CSV for analysis in other tools.

Another tool that I’ve found is WinPrefetchView from NirSoft.  This offers a graphical pointy-clicky interface for those who aren’t yet as comfortable with command line tools.  Just like PECmd, WinPrefetchView can work with either individual files or entire directories, and you can also save your outputs into other formats – in this case XML, CSV, and HTML.

References

What Are Prefetch Files in Windows?  Are They Important?  |  The Tech Advocate
https://www.thetechedvocate.org/what-are-prefetch-files-in-windows-are-they-important/

Prefetch Files in Windows  |  Geeks for Geeks
https://www.geeksforgeeks.org/prefetch-files-in-windows/

Prefetch Hash Calculator + a hash lookup table  |  Hexacorn
https://www.hexacorn.com/blog/2012/06/13/prefetch-hash-calculator-a-hash-lookup-table-xpvistaw7w2k3w2k8/

PECmd  |  Eric Zimmerman
https://github.com/EricZimmerman/PECmd

Eric Zimmerman’s Tools  |  Eric Zimmerman
https://ericzimmerman.github.io/#!index.md

WinPrefetchView  |  NirSoft
https://www.nirsoft.net/utils/win_prefetch_view.html