Prefetch on Windows...
 
Notifications
Clear all

Prefetch on Windows Servers

4 Posts
2 Users
0 Likes
3,404 Views
(@wilber999)
Posts: 30
Eminent Member
Topic starter
 

In responding to incidents, I typically gather valuable information from the PREFETCH on Windows workstations. However, Windows servers have the PREFETCH capability turned off by default.

Questions
1. Is there a technical reason that this is off?
2. Is there harm in enabling this for clients that I assist in Incident preparation?

Any info is greatly appreciated.

 
Posted : 18/06/2009 3:01 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

In responding to incidents, I typically gather valuable information from the PREFETCH on Windows workstations. However, Windows servers have the PREFETCH capability turned off by default.

Questions
1. Is there a technical reason that this is off?

If by "Windows servers" you mean Windows 2003, then application prefetching is disabled by default by Microsoft. This is likely due to the fact that servers are not necessarily intended for day-to-day use from the console for things like, well…running applications. For example, in most circles, checking email and web browsing from a server is a huge NO-NO. The same can be said for word processing…why would you want to do that from a server?

Boot prefetching, however, is enabled by default.

2. Is there harm in enabling this for clients that I assist in Incident preparation?

No, not necessarily…I mean, if you're not running a number of applications from the server, then I can't really see where there'd be a significant performance hit.

However, that does beg the question…why would you *want* to enable it? What does it give you that you cannot get from another source? For example, on Windows XP, application prefetch files can tell us that an application was run, when it was last run, and how many times it had been run. But we can also get that, even on Windows 2003, from the UserAssist keys within the user's hive files. Keep in mind that application prefetch files are NOT user-specific.

So…why would you want to enable application prefetching on Windows servers for "incident preparation"?

 
Posted : 18/06/2009 3:08 am
(@wilber999)
Posts: 30
Eminent Member
Topic starter
 

My last couple of incidents have involved terminal servers/citrix servers in remote desktop mode. In addition, enabling it in other instances has allowed me to determine information needed to help determine information to resolve the issue.

Enabling it (and the ability to recover the deleted .pf files) provides more information that helps me to determine the what, when, and how many times executed of an application and determine which userassist hives to parse to determine the "offender". This would specific to terminal servers where there are many profiles

 
Posted : 18/06/2009 4:12 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

My last couple of incidents have involved terminal servers/citrix servers in remote desktop mode. In addition, enabling it in other instances has allowed me to determine information needed to help determine information to resolve the issue.

Well, based on your experience, I would say that it's probably a good thing.

Keep in mind, though, that this may have limited success. For example, my team is still seeing a lot of Conficker, which installs as a ServiceDll; this doesn't show up in the Prefetch files on XP systems. You will, however, be able to find the other debris and artifacts left by the infection.

Where this will work for you is if a user runs an unauthorized application…you may also find entries in the UserAssist keys (for GUI apps) and the user's MUICache key, as well. Depending upon the application launched, you may also find other artifacts that point to a user.

Enabling it (and the ability to recover the deleted .pf files) provides more information that helps me to determine the what, when, and how many times executed of an application and determine which userassist hives to parse to determine the "offender". This would specific to terminal servers where there are many profiles

I'm not sure I follow the "…and determine which userassist hives to parse…" part.

 
Posted : 18/06/2009 6:05 am
Share: