Hello,
i have observed a strange behavior from Prefetch and kindly ask someone on another Windows 10 OS (10.0.15063) to confirm that.
In "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" Prefetch is disabled with "EnablePrefetcher REG_DWORD 0x0". I have booted and still have fresh *.pf files in C\Windows\Prefetch\
The registry setting above seems to be without function, but stopping the Superfetch service (SysMain) really stops the OS from generating *.pf files. Hmmm…this is new, isn`t it?
Conclusion could be that this "anti-forensic" setting is not enough to stop the OS from generating prefetch files.
best regards,
Robin
One of my best "anti-forensic tool" is using an SSD, which also disables Prefetch by default. I'm curious as well, why your setting didn't take in Windows 10. I don't know the answer.
One of my best "anti-forensic tool" is using an SSD, which also disables Prefetch by default. I'm curious as well, why your setting didn't take in Windows 10. I don't know the answer.
This is the second clue i am using a 256 GB SSD from SanDisk. Prefetch was enabled by default. I do not understand it, either.
best regards,
Robin
i have observed a strange behavior from Prefetch and kindly ask someone on another Windows 10 OS (10.0.15063) to confirm that
I was unable to get access to a Windows 10 (10.0.15063) but I was able to test this on a Windows 10 (OS Build 14393.1715) and I saw the same results as you. I also have a SSD (Samsung) with Windows 10 installed (upgrade from Windows 7) and my Prefetch was enabled by default as well.
i have observed a strange behavior from Prefetch and kindly ask someone on another Windows 10 OS (10.0.15063) to confirm that
I was unable to get access to a Windows 10 (10.0.15063) but I was able to test this on a Windows 10 (OS Build 14393.1715) and I saw the same results as you. […]
Thanks a lot for your work, i will investigate this further…..!
best regards,
Robin