Windows Prefetch Forensics: Proving Execution When Logs Are Wiped

Cybersecurity

Prefetch files survive log tampering and give IR teams concrete execution proof: run counts, timestamps, and referenced file paths that rebuild attacker activity from first launch.

By Arjun Raghavan, Security & Systems Lead, BIPI · October 17, 2024 · 9 min read

When adversaries wipe Security event logs or delete PowerShell history, Windows Prefetch files often survive intact. Stored under C:\Windows\Prefetch\ with the extension .pf, each file records the name of the executed binary, a path hash unique to its launch location, the last eight execution timestamps, and a run count. For a DFIR examiner, that is an independent corroboration source that does not depend on the integrity of the EVTX pipeline.

How Windows Generates Prefetch Files

The Windows Prefetch service (SysMain / SuperFetch) monitors the first ten seconds of process startup and records every file and directory referenced during that window. The output is compressed (on Windows 8+) and named in the format EXECUTABLE.EXE-XXXXXXXX.pf, where the eight hex characters are a hash of the full path from which the binary was launched.

Path Hash: Detecting Multiple Launch Locations

The path hash is a modified FNV-1a hash of the volume device path plus the binary path in uppercase. Because the hash seeds differ per Windows version, you will see distinct .pf files for the same binary launched from different directories. Finding cmd.exe-AAAABBBB.pf alongside cmd.exe-CCCCDDDD.pf means cmd.exe was run from two separate locations, a common indicator when attackers drop renamed shells into temp directories.

• Windows XP/2003: max 128 prefetch files
• Windows Vista/7: max 128 prefetch files
• Windows 8/10/11: max 1024 prefetch files (compressed with Xpress Huffman)
• Each .pf file stores timestamps for the last 8 executions (Windows 8+), or last 1 (Windows 7 and earlier)

Parsing with PECmd (Eric Zimmermann)

Eric Zimmermann's PECmd.exe is the standard tool for Prefetch analysis. Run it against the entire Prefetch directory and export to CSV for timeline integration. The command below parses all .pf files and writes structured output:

1. PECmd.exe -d C:\Windows\Prefetch --csv C:\output\ --csvf prefetch.csv
2. Open prefetch.csv in Timeline Explorer and sort by LastRun descending
3. Filter on RunCount > 1 to identify repeated executions of dropped tools
4. Cross-reference ReferencedFiles column for DLLs loaded by attacker binaries

Timestomping and Prefetch Timestamp Integrity

Attackers sometimes modify the $STANDARD_INFORMATION timestamps of the .pf file itself to confuse timeline analysis. The countermeasure is to compare the last-run timestamp embedded inside the .pf binary (parsed by PECmd) against the $FILE_NAME attribute timestamp on the MFT record. $FILE_NAME is written by the kernel and cannot be altered by normal user-mode timestomping tools, so a discrepancy of more than a few seconds is a strong indicator of anti-forensic manipulation.

Practical IR Pivot: Connecting Prefetch to Lateral Movement

Look at the referenced files list within each .pf entry. A psexesvc.exe or mstsc.exe Prefetch file referencing network share paths under \Device\HarddiskVolume\ tells you the target of the lateral move. When combined with Amcache SHA1 hashes and Shimcache presence records, you can reconstruct a complete execution chain even after log deletion.

• psexesvc.exe .pf file confirms PsExec service installation on the target
• mstsc.exe .pf with MRU registry entries provides RDP destination hostnames
• wmic.exe .pf corroborates WMI-based remote execution
• powershell.exe .pf referencing scripts in %TEMP% maps dropper activity
• 7z.exe or winrar.exe .pf with archive paths identifies data staging

Acquisition Considerations

Prefetch files are not locked during normal operation on Windows 10 and 11, so a live acquisition with tools like RawCopy or KAPE (using the Prefetch target) is straightforward. On Windows 7, the files are occasionally locked; use VSS snapshots or a forensic image to access them. Always hash .pf files at acquisition time. The compressed format on Windows 8+ means you need a tool that understands the decompression routine, which PECmd handles transparently.

A single .pf file can survive log clearing, EVTX deletion, and even partial disk overwrite because it sits in a separate directory with its own MFT record. It is one of the most reliable execution artifacts in the Windows forensic toolkit.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.