Blog
- Windows Prefetch parsing tools compared — PECmd, WinPrefetchView, and browser-based parsers
PECmd, WinPrefetchView, libscca, and online parsers — what each one is good at, what it misses, and when to reach for which.
2026-05-28
- Prefetch anti-forensics: what attackers can hide, what they can't
EnablePrefetcher=0, deleting .pf files, the rename-before-run trick. A practitioner's view of which attacks against Prefetch work and which leave a trail you can follow.
2026-05-27
- Prefetch as evidence: what .pf files actually prove
The Windows Prefetch is the most reliable proof-of-execution artifact you'll see in DFIR — but only if you understand what it doesn't say. A practitioner's view on .pf files.
2026-05-27
- Why Windows Server has no prefetch files — PrefetchParameters and SysMain explained
Prefetch is off by default on Windows Server, controlled by registry, and tied to the SysMain service. Here is what governs it and how to verify state on a live system.
2026-05-27
- The Windows Prefetch file format across versions
SCCA, MAM compression, sections A through D, and the version field. A practitioner's walkthrough of how .pf files have changed from XP to Win11, and which parsers keep up.
2026-05-27
- The file load list: what every .pf can tell you about what a binary did
The Prefetch load list is the part most analysts skim. It's also where DLL hijacks, malware configs, and document opens hide in plain sight. A practical guide.
2026-05-27
- Did the program actually run? Prefetch and process execution
Prefetch is the strongest single proof-of-execution artifact in Windows DFIR. Here's where the claim is solid, where it breaks, and how to corroborate it with EVTX 4688 and Sysmon.
2026-05-27
- Investigating ransomware with Prefetch: a walkthrough
A fictional but realistic ransomware case rebuilt from Prefetch. The eight timestamps, the encryptor's load list, lateral-movement tools. How the .pf files tell the story.
2026-05-27
- SuperFetch, SysMain, and the Win10/11 Prefetch confusion
SuperFetch became SysMain in Win10 1709. Prefetch is partly disabled on SSDs. Here's what the registry knobs actually do, and what to verify before trusting a .pf file.
2026-05-27
- Detecting Windows Prefetch tampering and anti-forensics
Attackers delete, plant, and falsify .pf files to obscure execution evidence. Here is how to spot the common signs and what each one tells you.
2026-05-26
- How to analyze Windows Prefetch files — a forensic walkthrough
A practical step-by-step guide to reading .pf files for execution evidence — what to look for, what to ignore, and how to corroborate findings.
2026-05-25
- Prefetch vs Amcache vs ShimCache — picking the right execution artifact
Three Windows artifacts record program execution. They overlap, but each one captures something the other two miss. Here is when to reach for which.
2026-05-24
- What changed in Windows Prefetch v30 and v31 (Windows 10 and 11)
The SCCA version field is the single most useful number in a prefetch file. Here is what each version means and what to watch for when parsing v30 (Win10) and v31 (Win11).
2026-05-23
- Inside MAM compression — how Windows 8+ packs prefetch files
Modern .pf files start with a MAM signature and an Xpress Huffman compressed payload. Here is how the framing works, why it was introduced, and what a parser has to do to read it.
2026-05-22
- How the Windows Prefetch hash is calculated
The 8-character suffix in every .pf filename is a path-derived hash, and the algorithm has changed three times. Here is what it computes and why it matters for forensics.
2026-05-21
- Understanding Windows Prefetch for forensics
What .pf files record, why they matter, and how this parser reads them entirely in your browser.
2026-05-20