DFIR

Windows Prefetch Files in Incident Response

28 January 2023 | justruss.tech

Windows Prefetch files provide execution evidence even after attacker cleanup. They are created by the Windows Prefetcher (SysMain service) to speed up application launches, but their forensic value is that they record execution time, run count,
and the files accessed during startup — all timestamped and persistent.

Location, naming, and storage format

Prefetch files live at C:\Windows\Prefetch\. Naming convention:

EXECUTABLE_NAME-HASH.pf
# Examples:
MIMIKATZ.EXE-3A27C2B8.pf
PROCDUMP.EXE-1B2C3D4E.pf
CMD.EXE-89305D4C.pf
CMD.EXE-AC113AA0.pf  # different hash = run from different path

The 8-character hash is computed from the full path of the executable. The same binary run from two different directories produces two different prefetch files. This means even if an attacker copies their tools to a new location, a new prefetch
entry is created with the new path encoded in the hash.

Maximum prefetch files: 128 (Windows XP/Vista/7), 1024 (Windows 8+). On heavily used systems, older entries are overwritten. On investigation targets that were not rebooted repeatedly, entries can go back weeks.

Data stored per prefetch file

  • Executable name and path
  • Run count (total executions)
  • Last 8 run timestamps (Windows 8+; Windows 7 stores only the most recent)
  • Volume information (drive serial number, volume path)
  • Referenced files and directories (loaded during first 10 seconds of execution)

Parsing with PECmd

# Process single prefetch file
PECmd.exe -f "C:\Windows\Prefetch\MIMIKATZ.EXE-3A27C2B8.pf" --csv C:\Output\

# Process entire Prefetch directory
PECmd.exe -d "C:\Windows\Prefetch" --csv C:\Output\ --csvf prefetch_results.csv

# Parse from forensic image (files extracted to working directory)
PECmd.exe -d /tmp/prefetch_extracted/ --csv /tmp/output/

Sample output columns:

SourceFilename,SourceCreated,LastRun,RunCount,PreviousRun1,PreviousRun2,...
MIMIKATZ.EXE-3A27C2B8.pf,2023-09-18 23:24:01,2023-09-18 23:28:44,3,2023-09-18 23:26:12,2023-09-18 23:24:01
PROCDUMP.EXE-1B2C3D4E.pf,2023-09-18 23:31:05,2023-09-18 23:31:05,1,,

Referenced files analysis

The referenced files list shows what the executable read during its first 10 seconds. For credential dumping tools this is extremely revealing:

# MIMIKATZ.EXE referenced files (partial):
\WINDOWS\SYSTEM32\LSASS.EXE
\WINDOWS\SYSTEM32\DBGHELP.DLL
\WINDOWS\SYSTEM32\NTDLL.DLL
\WINDOWS\SYSTEM32\LOGONSESSION.DLL
\USERS\VICTIM\DESKTOP\LSASS.DMP  <-- output file location

The presence of LSASS.EXE in the referenced files list confirms the tool accessed LSASS. The LSASS.DMP reference reveals the output path — useful for knowing where to look for data that may have been exfiltrated.

Timeline integration

python3 << EOF
import csv, datetime

# Build execution timeline from PECmd output
entries = []
with open("prefetch_results.csv") as f:
    for row in csv.DictReader(f):
        name = row["ExecutableName"]
        for ts_field in ["LastRun","PreviousRun1","PreviousRun2",
                          "PreviousRun3","PreviousRun4","PreviousRun5",
                          "PreviousRun6","PreviousRun7"]:
            if row.get(ts_field):
                try:
                    ts = datetime.datetime.strptime(row[ts_field], "%Y-%m-%d %H:%M:%S")
                    entries.append((ts, name, row["RunCount"]))
                except:
                    pass

entries.sort()
incident_start = datetime.datetime(2023, 9, 18, 22, 0, 0)
incident_end   = datetime.datetime(2023, 9, 19, 2, 0, 0)

for ts, name, count in entries:
    if incident_start <= ts <= incident_end:
        # Flag suspicious executables
        suspicious = any(s in name.upper() for s in [
            "MIMIKATZ","PROCDUMP","METERPRETER","COBALTSTRIKE",
            "RUBEUS","SHARPHOUND","BLOODHOUND"
        ])
        marker = " *** SUSPICIOUS ***" if suspicious else ""
        print(f"{ts} | {name} | runs={count}{marker}")
EOF

Prefetch on Windows Server

Prefetching is disabled by default on Windows Server editions. The registry key:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
Value: EnablePrefetcher
  0 = Disabled
  1 = Application prefetching only
  2 = Boot prefetching only
  3 = Both (default on workstations)

On server compromises where Prefetch is disabled, the fallback artefacts are Amcache (which is present on Server editions), the Windows event log (4688 with command line logging), and Sysmon if deployed.