The Prefetch, or called the Prefetcher, helps improve an application’s startup speed. It’s a background monitoring process that watches the first 2-10 seconds of an application executing on a Windows system. The goal is to speed up subsequent launches of an application. The Prefetch caches required files and resources into memory, therefore decreasing the need for disk access.

When a program is re-executed, a Prefetch file associated with that program located at C:/Windows/Prefetch/<binaryName>-<hash>.pf is referenced to help improve performance of the application. The Prefetch file is updated to reflect the information about the current execution. It’s possible to carve old Prefetch information in unallocated space.

The Prefetch monitors applications launched from the GUI and command line. The file types of the applications include .exe and .com.

The Prefetch is not enabled on Windows servers. The ShimCache can be used to gather similar information that is found on the Prefetch for Windows servers.

The maximum number of Prefetch files for Windows XP, Vista, and 7 systems are set to 128. Windows 8 increased this number to 1,024. The oldest files in the Prefetch are removed first.

The ‘Date created’ time in the Prefetch location needs to have 2-10 seconds (the Prefetch watches the first 10 seconds of execution) subtracted from it to get the time the program was first run. The ‘Date modified’ minus 2-10 seconds is when the program was last run. The 10 second rule will be less if the executable is small.

A Prefetch parser such as PECmd – Eric Zimmerman can be used to see the contents of a Prefetch file. This tool will parse the information in the ‘Data’ section.

The Prefetch is not tied to a specific user. The ‘UserAssist’ artifact is better suited for that purpose.

The Prefetch can show the following:

• Modified time (When the program was last run minus 2-10 seconds)
• Creation time (When the program was first run minus 2-10 seconds)
• Run count (How many times has the program run?)
• The last 8 times that the program has run.
• Volume serial number
• Directories and File referenced (Helps to determine malware)

All Prefetch files are located in C:/Windows/Prefetch/<binaryName>-<hash>.pf

Command line parameters usually do not affect the hash of the pf file. Exceptions to this include dllhost.exe, mmc.exe, and rundll32.exe