Join Us!

Prefetch Registry S...
 
Notifications
Clear all

Prefetch Registry Settings changed?!  

  RSS
Bunnysniper
(@bunnysniper)
Active Member

Hello,

i have observed a strange behavior from Prefetch and kindly ask someone on another Windows 10 OS (10.0.15063) to confirm that.

In "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" Prefetch is disabled with "EnablePrefetcher REG_DWORD 0x0". I have booted and still have fresh *.pf files in C\Windows\Prefetch\

The registry setting above seems to be without function, but stopping the Superfetch service (SysMain) really stops the OS from generating *.pf files. Hmmm…this is new, isn`t it?

Conclusion could be that this "anti-forensic" setting is not enough to stop the OS from generating prefetch files.

best regards,
Robin

Quote
Posted : 08/09/2017 9:42 am
jahearne
(@jahearne)
Junior Member

One of my best "anti-forensic tool" is using an SSD, which also disables Prefetch by default. I'm curious as well, why your setting didn't take in Windows 10. I don't know the answer.

ReplyQuote
Posted : 08/09/2017 7:13 pm
Bunnysniper
(@bunnysniper)
Active Member

One of my best "anti-forensic tool" is using an SSD, which also disables Prefetch by default. I'm curious as well, why your setting didn't take in Windows 10. I don't know the answer.

This is the second clue i am using a 256 GB SSD from SanDisk. Prefetch was enabled by default. I do not understand it, either.

best regards,
Robin

ReplyQuote
Posted : 08/09/2017 7:27 pm
shakes6791
(@shakes6791)
New Member

i have observed a strange behavior from Prefetch and kindly ask someone on another Windows 10 OS (10.0.15063) to confirm that

I was unable to get access to a Windows 10 (10.0.15063) but I was able to test this on a Windows 10 (OS Build 14393.1715) and I saw the same results as you. I also have a SSD (Samsung) with Windows 10 installed (upgrade from Windows 7) and my Prefetch was enabled by default as well.

ReplyQuote
Posted : 22/09/2017 6:13 pm
Bunnysniper
(@bunnysniper)
Active Member

i have observed a strange behavior from Prefetch and kindly ask someone on another Windows 10 OS (10.0.15063) to confirm that

I was unable to get access to a Windows 10 (10.0.15063) but I was able to test this on a Windows 10 (OS Build 14393.1715) and I saw the same results as you. […]

Thanks a lot for your work, i will investigate this further…..!

best regards,
Robin

ReplyQuote
Posted : 22/09/2017 9:15 pm
Share: