I have been reading up on prefetch files. I see that when you put a PF in a tool like BinText it lists out a bunch of files including their path. From what I have read it sounds like this is a list of directories and files that are/have been loaded. Just for clarification does that mean that when that file (say notepad.exe) was run and a prefetch file was created a complete list of all open files (and paths) were written to the notepad.pf file?
Thanks,
http//
and
https://
Any good to you?
No, it does not. The files listed are not open files…most are modules accessed by the executable file. Remember, the purpose of the Prefetch file is to put code into one location and optimize loading of frequently accessed files.
From what I have read it sounds like this is a list of directories and files that are/have been loaded. Just for clarification does that mean that when that file (say notepad.exe) was run and a prefetch file was created a complete list of all open files (and paths) were written to the notepad.pf file?
To start with, you need to read the right things., and I don't know what you have read. But try Russinovich and Solomon Microsoft Windows Internals, 4th edition (or later). Chapter 7 has a section called 'Logical Prefetcher', where you get a lot of details on how the prefetcher works, and how memory management provides it with information. (No, it's not worth buying just for those two or three pages. And you do need some background in Windows programming to understand all the details.)
The prefetcher does not list *all* files. There seems to be some kind of limit to how many entries can be stored inside a .pf file.
The prefetcher does not list *open* files. It lists files that are opened (or more exactly that cause a page fault, typically because they are executed, loaded, or opened) during the first N seconds of application startup. N takes values from 10 to 120 depending on various factors.
That means you may see files that are not at all related to the executable, but just happened to be opened, loaded or executed at the same time.
My personal prefetch files are full of entries related to Kaspersky Antivirus – which checks my binaries before it is allowed to run. Some time ago, when I listened more to web radio then I do now, I found my prefetch files contained oddly many MP3 files, also for executables that doesn't do music.
Thanks athulin, there seems to be a lot of conflicting information about prefetch. If im reading what you say rightly, the pf files use in proving things in forensics is pretty limited? (ie that the list of files is just those accessed by the system during the N seconds, rather than the accessed by the particular program in question)
Rich
Can you share the source of your information?
The strings in the Prefetch files do include accesses to modules accessed by the executable, as Harlan noted. In some cases, they also reveal files opened by the application. For example, you may see this often with MediaPlayer, WMPLAYER.EXE. If you find a string like \DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\LIMEWIRE\SAVED\FILE.MPG, it indicates that the video was opened (played). Whether a file like this gets recorded in the Prefetch depends on how the file was opened. Some testing can reveal the circumstances.
Athulin,
Thanks for your post. You have a lot of good information here. I am still struggling to understand what you are saying. I am not a programmer, but I kind of understand about page faults. I am looking at applicatino prefetching, and I understand about the 10 seconds that monitored by the cache manager, but as mentioned I am still struggling to see what *OPEN* files are loaded, basically from your comments below. Any help on clarifying this would be appreciated.
This is the common language that I see regarding lists of directories. This one statement must be reused over and over. When they say "loaded", do they mean page faults?
Athulin's comments.
**********
"Prefetch files maintain a list of directories and files whose pages are to be loaded."
"The prefetcher does not list *open* files. It lists files that are opened (or more exactly that cause a page fault, typically because they are executed, loaded, or opened) during the first N seconds of application startup. N takes values from 10 to 120 depending on various factors.
That means you may see files that are not at all related to the executable, but just happened to be opened, loaded or executed at the same time."