IT-Connect » Courses - How-to » Cybersecurity » Windows Forensics Part 3: Tracking Program Execution with Prefetch

Forensic Windows and Pretech branding with a red magnifying glass over a Windows logo on a blue gradient banner (IT-CONNECT.fr)
Cybersecurity

Windows Forensics Part 3: Tracking Program Execution with Prefetch

Mehdi Dakhama 0 Comments

We continue our Windows forensic analysis by further exploring artifacts related to program execution.

After studying ShimCache and then Amcache, we now turn our attention to Prefetch, a mechanism often used to improve system performance, but which also provides valuable information during investigations.

Unlike the previous artifacts, Prefetch can highlight the actual execution of a program, with more precise time-related and contextual information.

The goal of this article is to understand how it works, examine its contents, and see how it can be used to supplement a forensic analysis, especially when correlated with Amcache and ShimCach.

What is Prefetch?

The Prefetch mechanism was introduced starting with Windows XP to improve system performance. Its purpose is to optimize the loading of files essential to Windows operation, as well as those required to run applications.

Because these files are located in different places on the disk, loading them can slow down system startup and program launches.

Prefetch addresses this constraint by recording information about the files used during execution, so they can load faster on subsequent launches.

This mechanism is still used on modern systems. However, it can be disabled through the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
Registry - PrefetchParameters
  • 0 : Disabled
  • 1 : Use application prefetch only
  • 2 : Use boot prefetch only
  • 3 : Use everything

On Windows Server, this mechanism is generally disabled by default.

As you can see, these files can be a real source of information in forensics, especially for detecting traces of applications executed at system startup, such as rootkits or malicious persistence mechanisms.

Prefetch Structure

Once enabled, Prefetch content is located in the folder: C:\Windows\Prefetch.

This directory contains two types of files:

  • System startup-related files, for example: NTOSBOOT-B00DFAAD.pf
  • Application-related files, whose names begin with the name of the executed program (for example: ACROBAT.EXE-xxxx.pf, 7ZIP.EXE-xxxx.pf)

Note that the number of entries is limited to 1024 Prefetch files.

Windows Prefetch folder

We will now move on to analyzing these files. In some cases, it is also possible to clear Prefetch data present in memory, but that topic will be covered in another article dedicated to memory analysis.

Analyzing the Prefetch File

Rest assured, we will not do without our friend Eric Zimermman. But this time, instead of using a direct advanced parser, we will start with a simple and fast tool for a first overview: WinPrefetchView from the NirSoft suite.

Download WinPrefetchView

Once downloaded and launched with administrative privileges, the tool will automatically load the Prefetch files

First Look

The tool offers a fairly clear view. In the upper section, you can see the executed applications, with information such as:

  • The last execution
  • The number of launches
  • In the lower section, you can see the files called by the application

That is already enough to get a first idea of what is happening on the machine.

In my case, I was able to observe, for example, a Linux system (EmuElec) extracted with 7-Zip, as well as other items such as Kali Linux distributions or more unusual files. This type of information quickly helps guide the analysis.

WinPrefetchView example

  • Limits of this approach

Even though the view is readable, the analysis quickly becomes tedious. The tool provides information, but not necessarily conclusions. We have to do the correlation work ourselves.

The right reflex here would be to analyze the suspicious dates corresponding to alerts and information found in event logs, EDR, and the Amcache file.

Analysis Example

By filtering and searching for sensitive tools (such as PowerShell), we can identify interesting behavior.

In my case, I noticed the loading of a module named PSScriptTest via PowerShell. This type of element can be a lead worth investigating.

In general, it is advisable to set aside system paths and standard Windows binaries at first, and focus on unusual items.

Be careful, however: a system binary is not necessarily legitimate, so its context must always be verified.

WinPrefetchView PowerShell analysis

Correlation with Events

As I continued the analysis, I identified a file loaded via PowerShell that matched the date of a suspicious alert generated by the EDR. Even though the machine was not actually compromised, this alert allowed me to reproduce a scenario and write this article.

WinPrefetchView correlation with events

Additional Checks

I then turned to the registry, especially the usual persistence locations. Nothing suspicious at first glance, but this step remains essential.

Certain processes should also be checked systematically. Here, no abnormal behavior was observed in the Registry Editor.

WinPrefetchView registry analysis

Here, wlrmdr.exe (Windows Logon Reminder) is tied to system activation.

WinPrefetchView registry analysis wlrmdr.exe

The well-known winlogon.exe process, a frequent target for compromise, must be analyzed carefully; traces may appear in the event of lsass memory dumping.

winlogon prefetch analysis

Exporting Data

The tool also allows you to copy entries or export results to HTML. Even though HTML export is limited for analysis purposes (sorting is not very convenient), it does preserve a usable timeline.

WinPrefetchView HTML report

Below is an example of the HTML output:

Example of WinPrefetchView HTML report

Analysis with PECmd

Let us now move on to a more advanced analysis using the PECmd tool, developed by our friend Eric Zimmerman. This tool can read and extract Prefetch file data from the command line, with output in CSV format. This format is especially convenient because it allows you to use Excel filters to refine searches.

Download the PEcmd tool from the link:

 

Download PECmd

After downloading the tool and placing it in a folder, it is possible to analyze a specific Prefetch file using the following command, adjusting the path and file name:

PEcmd.exe –f C:\windows\prefetch\nom_du_fichier.pf –csv C:\temp\ --csvf File1.csv
Run PECmd - Example

This command generates a CSV file containing the main information from the analyzed file. A first read already provides interesting elements, especially regarding application execution

CSV file containing the main information from the analyzed file

To go further, it is possible to analyze all Prefetch files present on the system. At that point, the tool really comes into its own, especially for a global analysis.

PEcmd.exe –f C:\windows\prefetch\ –csv C:\temp\ --csvf File2.csv
Export PECmd.exe

The generated file groups together all information extracted from the Prefetch files. It then becomes possible to apply filters and cross-reference the data to surface relevant elements.

PECmd report opened in Excel

Conclusion

As we have just seen, no element should be overlooked in forensics. Every piece of information can provide a lead and contribute to the overall understanding of an incident.

Prefetch files mainly make it possible to confirm application execution, especially in scenarios involving persistence mechanisms such as code injection or the use of malicious startup programs. They must, however, be correlated with the other artifacts discussed previously in order to obtain a coherent analysis.

It is also important to note that the time information from Prefetch is generally less precise than that provided by Amcache.

We will continue in a future article with other complementary mechanisms, in order to go even deeper into system analysis.

author avatar
Mehdi Dakhama Consultant and trainer
Consultant and expert trainer in Windows Server and Azure Cloud. Cybersecurity researcher.
See Full Bio
social network icon
Share on X Share on Facebook Share on Linkedin Send by e-mail

You May Also Like

Graylog-E-mail-alerts-Log-centralization

Notifications with Graylog – How do I send e-mail alerts?

Florian Burnel 0
Send Windows logs to Graylog with NXLog

Send Windows logs to Graylog with NXLog

Florian Burnel 0
Vaultwarden Open Source Password Manager banner showing logo, 'Password Manager' title, a screenshot of the interface on the left, and a circular blue safe icon on the right.

How to Host Your Password Manager with Vaultwarden Using Docker and Traefik

Florian Burnel 0

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.