Prefetch Files in Windows
These are the temporary files stored in the System folder name as a prefetch. Prefetch is a memory management feature. The log about the frequently running application on your machine is stored in the prefetch folder. The log is encrypted in Hash Format so that no one can easily decrypt the data of the application. These files can be used to extract timestamp and other resources consumed when the file executes.
Feature And Format Of Prefetch Files
- These files are all stored in the ROOT/Windows/Prefetch folder and most of the files have PF extension
- For eg: PYTHON_3.6.1-AMD64.EXE-6F01AFF6.pf. The prefetch file for PYTHON_3.6.1-AMD64.EXE would appear as PYTHON_3.6.1-AMD64.EXE-6F01AFF6.pf,
- 6F01AFF6 is a hash of the path from where the file was executed. This Path is encrypted with different types of Hashing Functions.
- Prefetchcount.py script can be used to uncompressed the prefetch files. Decompressed files can be easily converted into understandable String format
- Maximum number of prefetch files
- Windows XP to Windows 7 =128
- Windows 8 to Windows 10=1024
6. On reaching the limit it automatically deletes from the folder.
How To Check Prefetch Files
Step 1: Press the Windows+R button and search prefetch.
Press Window+R Search prefetch
Step 2: C:\Windows\Prefetch –This location folder contains all the prefetch files in your local machine.
These Files are the Prefetch Files
Information Stored In Prefetch Files
Prefetch files stored all the necessary information regarding the executable application. So, that will help to decrease the booting time of the application. Like cache memory in your machine
- Run Count: The total number of times application runs on your machine.
- Prefetch Hash: Hash Value /log value generated by the Different hash function depends on the prefetch versions.
- Resources Loaded: Extra files loaded along with the prefetch files
- Version: Version of the prefetch means how encryption to be done while making prefetch files
- Timestamp: The Last time when the files were executed on the system.
- Volume Device Path: Volume or logical drive is a single accessible storage area where the file was executed.
The main objective behind to introduce different versions of the prefetch files to increase the stability of the prefetch files:
Some versions are :
- 17: Windows XP and Windows 2003
- 23: Vista and Windows 7
- 26: Windows 8.1
- 30: Windows 10
Uses Of Prefetch Files
- These files are used to study the behavior of the Application means which application executes automatically or not etc
- Prefetch files can be used for forensic analysis of the particular Application.
- Analysis of the viruses can be studied with the help of prefetch files.
Pros of Prefetch Files:
- Being a utility feature of the window there are very few pros of the prefetch files.
- There are many Cleanup tools that automatically delete the prefetch files. This makes the System faster but only once then again after prefetch creates again to do there work.
- When the capacity limit of prefetch files reached it automatically delete all the information and prefetch files. Capacity depends upon the operating system of the machine.
Cons Of Prefetch Files
- Provide encrypted information on the executable application. So that no one can easily access the information.
- Processing Power of the CPU increases as well as decrease the disk read and write speed.
- We can change the activity of the prefetch easily
- The EnablePrefetcher value can set to be one of the following:
- 0 = Disabled
- 1 = Application launch prefetching enabled
- 2= Boot prefetching enabled
- 3 = Applaunch and Boot enabled (Optimal and Default