±Forensic Focus Partners
±Your Account
Site Members:
 New Today: 1
|
 Overall: 36464
|
 New Yesterday: 7
|
 Visitors: 187
|
±Latest Articles
±Latest Videos
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
This is the second clue: i am using a 256 GB SSD from SanDisk. Prefetch was enabled by default. I do not understand it, either.
best regards,
Robin
I was unable to get access to a Windows 10 (10.0.15063) but I was able to test this on a Windows 10 (OS Build 14393.1715) and I saw the same results as you. I also have a SSD (Samsung) with Windows 10 installed (upgrade from Windows 7) and my Prefetch was enabled by default as well.
Thanks a lot for your work, i will investigate this further.....!
best regards,
Robin
Prefetch Registry Settings changed?!
-
Bunnysniper - Senior Member
Prefetch Registry Settings changed?!
Posted: Sep 08, 17 08:42
Hello,
i have observed a strange behavior from Prefetch and kindly ask someone on another Windows 10 OS (10.0.15063) to confirm that.
In "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" Prefetch is disabled with "EnablePrefetcher REG_DWORD 0x0". I have booted and still have fresh *.pf files in C:\Windows\Prefetch\
The registry setting above seems to be without function, but stopping the Superfetch service (SysMain) really stops the OS from generating *.pf files. Hmmm...this is new, isn`t it?
Conclusion could be that this "anti-forensic" setting is not enough to stop the OS from generating prefetch files.
best regards,
Robin
i have observed a strange behavior from Prefetch and kindly ask someone on another Windows 10 OS (10.0.15063) to confirm that.
In "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" Prefetch is disabled with "EnablePrefetcher REG_DWORD 0x0". I have booted and still have fresh *.pf files in C:\Windows\Prefetch\
The registry setting above seems to be without function, but stopping the Superfetch service (SysMain) really stops the OS from generating *.pf files. Hmmm...this is new, isn`t it?
Conclusion could be that this "anti-forensic" setting is not enough to stop the OS from generating prefetch files.
best regards,
Robin
-
jahearne - Member
Re: Prefetch Registry Settings changed?!
Posted: Sep 08, 17 18:13
One of my best "anti-forensic tool" is using an SSD, which also disables Prefetch by default. I'm curious as well, why your setting didn't take in Windows 10. I don't know the answer.
-
Bunnysniper - Senior Member
Re: Prefetch Registry Settings changed?!
Posted: Sep 08, 17 18:27
- jahearneOne of my best "anti-forensic tool" is using an SSD, which also disables Prefetch by default. I'm curious as well, why your setting didn't take in Windows 10. I don't know the answer.
This is the second clue: i am using a 256 GB SSD from SanDisk. Prefetch was enabled by default. I do not understand it, either.
best regards,
Robin
-
shakes6791 - Newbie
Re: Prefetch Registry Settings changed?!
Posted: Sep 22, 17 17:13
i have observed a strange behavior from Prefetch and kindly ask someone on another Windows 10 OS (10.0.15063) to confirm that
I was unable to get access to a Windows 10 (10.0.15063) but I was able to test this on a Windows 10 (OS Build 14393.1715) and I saw the same results as you. I also have a SSD (Samsung) with Windows 10 installed (upgrade from Windows 7) and my Prefetch was enabled by default as well.
-
Bunnysniper - Senior Member
Re: Prefetch Registry Settings changed?!
Posted: Sep 22, 17 20:15
- shakes6791i have observed a strange behavior from Prefetch and kindly ask someone on another Windows 10 OS (10.0.15063) to confirm that
I was unable to get access to a Windows 10 (10.0.15063) but I was able to test this on a Windows 10 (OS Build 14393.1715) and I saw the same results as you. [...]
Thanks a lot for your work, i will investigate this further.....!
best regards,
Robin