Prefetch Files
What is Prefetch Files?
Prefetch FilesWindows .pf files in C:\Windows\Prefetch that record process startup data and provide strong forensic evidence that an executable ran on a system.
Prefetch is a Windows performance optimisation that records which files and directories an executable touches during its first ten seconds of execution. The resulting .pf file (named EXECUTABLE-HASH.pf) is stored in C:\Windows\Prefetch and contains the original executable path, run count, the last eight execution timestamps (Windows 8+), and a list of referenced files and volumes. Forensic analysts use prefetch to prove program execution, recover deleted binaries' names, build timelines, and spot suspicious binaries running from temp or AppData locations. Prefetch is disabled by default on Windows Server and on SSD systems in some configurations, so its absence is itself an observation. PECmd is the canonical parser.
● Examples
- 01
Confirming that a since-deleted ransomware EXE executed by parsing C:\Windows\Prefetch\RYUK.EXE-XXXXXXXX.pf.
- 02
Detecting LOLBin abuse when wmic.exe or rundll32.exe shows unusually high run counts and references to non-system paths.
● Frequently asked questions
What is Prefetch Files?
Windows .pf files in C:\Windows\Prefetch that record process startup data and provide strong forensic evidence that an executable ran on a system. It belongs to the Forensics & IR category of cybersecurity.
What does Prefetch Files mean?
Windows .pf files in C:\Windows\Prefetch that record process startup data and provide strong forensic evidence that an executable ran on a system.
How does Prefetch Files work?
Prefetch is a Windows performance optimisation that records which files and directories an executable touches during its first ten seconds of execution. The resulting .pf file (named EXECUTABLE-HASH.pf) is stored in C:\Windows\Prefetch and contains the original executable path, run count, the last eight execution timestamps (Windows 8+), and a list of referenced files and volumes. Forensic analysts use prefetch to prove program execution, recover deleted binaries' names, build timelines, and spot suspicious binaries running from temp or AppData locations. Prefetch is disabled by default on Windows Server and on SSD systems in some configurations, so its absence is itself an observation. PECmd is the canonical parser.
How do you defend against Prefetch Files?
Defences for Prefetch Files typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Prefetch Files?
Common alternative names include: .pf files, Windows Prefetch.
● Related terms
- forensics-ir№ 043
Amcache.hve
A Windows registry hive that records detailed metadata about every executable that has run or been present on a system, including SHA-1 hashes, providing strong execution evidence on modern Windows.
- forensics-ir№ 1034
Shimcache (AppCompatCache)
A Windows registry value that tracks executable metadata for application-compatibility checks; historically used as execution evidence, with important interpretation caveats.
- forensics-ir№ 677
MFT (Master File Table)
The core NTFS metadata structure that stores one 1024-byte record per file or directory on a volume, anchoring nearly all Windows file-system forensics.
- forensics-ir№ 001
$UsnJrnl ($J)
The NTFS Update Sequence Number change journal that records every file-system operation, giving forensic investigators a high-resolution timeline of file creation, modification, and deletion.
- forensics-ir№ 568
Jump Lists
Per-application history files keyed by Windows AppID that record the recent files and tasks a user opened, providing strong evidence of file access tied to a specific program.
● See also
- № 1031Shellbags
- № 787pagefile.sys
- № 474hiberfil.sys