Blog
- Windows Prefetch parsing tools compared — PECmd, WinPrefetchView, and browser-based parsers
PECmd, WinPrefetchView, libscca, and online parsers — what each one is good at, what it misses, and when to reach for which.
2026-05-28
- Why Windows Server has no prefetch files — PrefetchParameters and SysMain explained
Prefetch is off by default on Windows Server, controlled by registry, and tied to the SysMain service. Here is what governs it and how to verify state on a live system.
2026-05-27
- Detecting Windows Prefetch tampering and anti-forensics
Attackers delete, plant, and falsify .pf files to obscure execution evidence. Here is how to spot the common signs and what each one tells you.
2026-05-26
- How to analyze Windows Prefetch files — a forensic walkthrough
A practical step-by-step guide to reading .pf files for execution evidence — what to look for, what to ignore, and how to corroborate findings.
2026-05-25
- Prefetch vs Amcache vs ShimCache — picking the right execution artifact
Three Windows artifacts record program execution. They overlap, but each one captures something the other two miss. Here is when to reach for which.
2026-05-24
- What changed in Windows Prefetch v30 and v31 (Windows 10 and 11)
The SCCA version field is the single most useful number in a prefetch file. Here is what each version means and what to watch for when parsing v30 (Win10) and v31 (Win11).
2026-05-23
- Inside MAM compression — how Windows 8+ packs prefetch files
Modern .pf files start with a MAM signature and an Xpress Huffman compressed payload. Here is how the framing works, why it was introduced, and what a parser has to do to read it.
2026-05-22
- How the Windows Prefetch hash is calculated
The 8-character suffix in every .pf filename is a path-derived hash, and the algorithm has changed three times. Here is what it computes and why it matters for forensics.
2026-05-21
- Understanding Windows Prefetch for forensics
What .pf files record, why they matter, and how this parser reads them entirely in your browser.
2026-05-20