Back to all posts

Why Windows Server has no prefetch files

If you pulled a Prefetch\ folder from a Windows Server install and came up empty, the system was likely behaving as designed. Prefetch is a workstation feature. Microsoft disables it by default on Server SKUs because the workload assumptions — long-running services rather than short-lived interactive apps — make it counter-productive for performance.

The registry knob

Prefetch behavior is governed by one key:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

Two values matter:

  • EnablePrefetcher (DWORD) — 0 (disabled), 1 (app launch prefetch only), 2 (boot prefetch only), 3 (both, the workstation default).
  • EnableSuperfetch (DWORD) — same value semantics, controls SuperFetch / SysMain, which is the broader memory-management feature that hosts the prefetch logic on modern Windows.

On Windows Server, both default to 0. On Windows 10/11 workstation editions, both default to 3.

The SysMain service

The service writing prefetch files is called SysMain (renamed from "Superfetch" in earlier versions). If SysMain is stopped or disabled, prefetch generation stops even when the registry is set to 3. A two-step check on a live system:

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters"
sc query SysMain

Both EnablePrefetcher = 3 and SysMain running are required for new prefetch files to appear in C:\Windows\Prefetch\.

Forensic implications

An empty Prefetch\ folder is not a negative finding by itself. Before concluding "no prefetch evidence", verify:

  1. OS edition: Server editions, even when up for months, will have essentially no prefetch.
  2. The registry values: confirm EnablePrefetcher and EnableSuperfetch at collection time. Both 0 indicates the system was configured to suppress prefetch.
  3. SysMain state: if the service was stopped or disabled, that's often visible in the System event log. Look for events from the Service Control Manager around the time you'd expect prefetch generation to have started.
  4. SSD vs HDD: some Windows 10 builds auto-disable prefetch on SSD-only systems for I/O reasons. This is rare in current versions but worth knowing.

Re-enabling for collection

If you control the system and want prefetch enabled for ongoing visibility:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnablePrefetcher /t REG_DWORD /d 3 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnableSuperfetch /t REG_DWORD /d 3 /f
sc config SysMain start= auto
net start SysMain

Note that turning prefetch on does not retroactively fill in historical execution data. From the moment SysMain begins writing again, new .pf files reflect new launches only. For evidence of past execution on a system where prefetch was disabled, you'll need to rely on Amcache, ShimCache, and event logs.

Disabled in policy

In some environments, prefetch is suppressed by Group Policy or by endpoint hardening baselines (CIS, STIG, vendor profiles). The registry values will reflect the policy setting; checking the local Group Policy result (gpresult /h) confirms whether the value was forced by a GPO or set locally.