Wonder if anyone can help. Am looking at an image of a clone of an HDD from a Dell Laptop running Win7 Enterprise SP1, running in a domain in a corporate environment
Shut down dates and last log off for the user in question (using RegRipper) are dated Sep 22 2015
Timestamps on JumpLists, LNKs, MRU's, UserAssist, USB history (using RegRipper/utilities and TZWorks) - everything supports user operation up to Sep 22 2015.
But all the entries (45 of them, which is a low number in my experience in our environment) in C\Windows\Prefetch are dated on or before Oct 28 2014
I can't imagine how this could have happened. I've checked in VSCs (there are two on the system dated Sep 22 2015) and there is no difference.
Can anyone point me in the right direction please?
Thanks
Does this help
https://
Yes thanks Paul I was aware of that, it's set at (3) in the current system and both VSCs
Am trying to get hold of our standard build to see what that looks like, then start changing values to see what happens to the Prefetch folder. Not sure that it's terribly relevant but would like to know anyway.
Cheers
I have been lead to believe that Windows 7 and Windows 8 will automatically disable SuperFetch and Prefetch, once it detects an SSD.
So maybe there was a hard drive upgrade back in 2014 ?
I have been lead to believe that Windows 7 and Windows 8 will automatically disable SuperFetch and Prefetch, once it detects an SSD.
So maybe there was a hard drive upgrade back in 2014 ?
Yes thought of that. We changed support vendors around that time and records from the old vendor are hard to come by, I have asked my colleague (different continent) who cloned the drive what type it was but am awaiting a response. I would like to think that they made and kept records of all 'evidence' - but I suspect they won't have.
I could disable Prefetch in Registry on a test system to see what happens after disabling, but without knowing exactly how SSD disables Prefetch that wouldn't prove anything I don't think?
Cheers anyway
Update, the image I'm looking at is of a standard SATA drive
Update, the image I'm looking at is of a standard SATA drive
It could be disabled by a group policy, which is quite common to use in an large Enterprise environment. Check if that is the case.