Back to all posts

Inside MAM compression

A Windows XP .pf file is straightforward: open it, read the SCCA header at offset zero, and parse downward. A Windows 10 .pf file dropped on that same parser produces gibberish. The reason is MAM.

The MAM framing

Starting with Windows 8, the operating system compresses each prefetch file before writing it to disk. The compressed file begins with an eight-byte framing header:

offset  size  field
0       3     ASCII signature "MAM"
3       1     compression algorithm (0x04 = Xpress Huffman)
4       4     uncompressed payload size (u32 little-endian)
8       …     compressed payload

The signature byte after MAM identifies the compression algorithm used by the rest of the file. Microsoft defines five algorithms across the COMPRESSION_FORMAT_* family; prefetch uses Xpress Huffman (0x04) exclusively. The uncompressed size field tells the decompressor how large the output buffer needs to be.

Xpress Huffman in one paragraph

Xpress Huffman is a block-oriented LZ77 variant. Each block starts with a 256-entry Huffman alphabet table — one nibble per symbol — defining literal-byte codes for 0..255 plus match-length codes. The encoded stream is read as Huffman codes; each symbol either emits a literal byte or signals a back-reference into the already-decompressed output. The format is documented as [MS-XCA] in Microsoft's open-spec corpus.

The parser this site uses (frnsc-prefetch) carries a pure-Rust implementation of Xpress Huffman decoding so the entire pipeline can run inside a WebAssembly module — no native shell-out, no Windows-only API required.

Why it matters

Tools that only know about the XP-era SCCA layout will read the first three bytes of a Win 8+ prefetch file (MAM) and either crash or quietly mis-parse. The number of forensic write-ups that still feature the warning "tested on Windows 7" is not zero. If you collect prefetch artifacts from a modern endpoint and your toolchain stops working, the first thing to check is whether you have an Xpress Huffman decoder in the pipeline at all.

The good news is that the format hasn't changed since Windows 8. Once your toolchain decompresses correctly, the same code path works through Windows 11 — the SCCA payload inside is what differs between versions, not the outer MAM frame.