±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35965
New Yesterday: 0 Visitors: 152

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Prefetch Registry Settings changed?!

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Bunnysniper
Senior Member
 

Prefetch Registry Settings changed?!

Post Posted: Sep 08, 17 08:42

Hello,

i have observed a strange behavior from Prefetch and kindly ask someone on another Windows 10 OS (10.0.15063) to confirm that.

In "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" Prefetch is disabled with "EnablePrefetcher REG_DWORD 0x0". I have booted and still have fresh *.pf files in C:\Windows\Prefetch\

The registry setting above seems to be without function, but stopping the Superfetch service (SysMain) really stops the OS from generating *.pf files. Hmmm...this is new, isn`t it?

Conclusion could be that this "anti-forensic" setting is not enough to stop the OS from generating prefetch files.

best regards,
Robin  
 
  

jahearne
Member
 

Re: Prefetch Registry Settings changed?!

Post Posted: Sep 08, 17 18:13

One of my best "anti-forensic tool" is using an SSD, which also disables Prefetch by default. I'm curious as well, why your setting didn't take in Windows 10. I don't know the answer.  
 
  

Bunnysniper
Senior Member
 

Re: Prefetch Registry Settings changed?!

Post Posted: Sep 08, 17 18:27

- jahearne
One of my best "anti-forensic tool" is using an SSD, which also disables Prefetch by default. I'm curious as well, why your setting didn't take in Windows 10. I don't know the answer.


This is the second clue: i am using a 256 GB SSD from SanDisk. Prefetch was enabled by default. I do not understand it, either.

best regards,
Robin  
 
  

shakes6791
Newbie
 

Re: Prefetch Registry Settings changed?!

Post Posted: Sep 22, 17 17:13

i have observed a strange behavior from Prefetch and kindly ask someone on another Windows 10 OS (10.0.15063) to confirm that


I was unable to get access to a Windows 10 (10.0.15063) but I was able to test this on a Windows 10 (OS Build 14393.1715) and I saw the same results as you. I also have a SSD (Samsung) with Windows 10 installed (upgrade from Windows 7) and my Prefetch was enabled by default as well.  
 
  

Bunnysniper
Senior Member
 

Re: Prefetch Registry Settings changed?!

Post Posted: Sep 22, 17 20:15

- shakes6791
i have observed a strange behavior from Prefetch and kindly ask someone on another Windows 10 OS (10.0.15063) to confirm that


I was unable to get access to a Windows 10 (10.0.15063) but I was able to test this on a Windows 10 (OS Build 14393.1715) and I saw the same results as you. [...]


Thanks a lot for your work, i will investigate this further.....!

best regards,
Robin  
 

Page 1 of 1