What changed in Windows Prefetch v30 and v31
The first four bytes inside a decompressed SCCA payload are a version number. That single field tells you which Windows family wrote the file and which header layout to expect:
| Version | Windows | Compression | Last-run slots |
|---|---|---|---|
| 17 | XP, Vista, 7 | None | 1 |
| 23 | Windows 8 | Xpress Huff | 1 |
| 26 | Windows 8.1 | Xpress Huff | 8 |
| 30 | Windows 10 | Xpress Huff | 8 |
| 31 | Windows 11 | Xpress Huff | 8 |
The v26 jump: eight run times
The most useful change in the entire format history happened with Windows 8.1 (v26): the header gained room for eight last-run timestamps instead of one. Before 8.1, a prefetch file only told you when the program last ran. From 8.1 onward, you get a rolling window of the eight most recent executions, each as a Windows FILETIME (u64 100-nanosecond intervals since 1601-01-01 UTC).
This is the field that lets analysts say "the binary executed eight times in the last three days" rather than "the binary executed at some point before yesterday."
v30: Windows 10
The Windows 10 (v30) layout reshuffles a few offsets in the file information section and tightens the volume information records, but the externally observable fields are the same: name, hash, run count, the eight last-run times, volume info, and the file-metric list of every DLL and resource the binary touched.
Most parsers do not need version-specific code paths inside the SCCA payload beyond reading the version number itself — the field offsets are the same width and meaning, only their positions move.
v31: Windows 11
Windows 11 ships v31 prefetch files. The differences from v30 are minor — Microsoft has tightened a few padding bytes and added bits to the prefetch flags field. Practically, a parser that handles v30 cleanly will read v31 with at most a constant-width offset adjustment. If your toolchain claims "Windows 10 support" but errors on Windows 11 files, the most common cause is an over-strict version check rather than a real format incompatibility.
What this means for you
When the parser on this site shows you "Ver. 31" in the table, you can trust the eight-deep last-run history and the full file-metric list. If it shows "Ver. 17", you only get one last-run timestamp and the file came from XP-through-7. The version field is also useful for triage: finding a v17 prefetch file on a modern Windows 10 host is a strong indicator that the prefetch was copied in from elsewhere.