Back to all posts

Understanding Windows Prefetch

Windows Prefetch (.pf) files live in C:\Windows\Prefetch\ and record metadata about every executable the operating system has launched. They are one of the most reliable execution artifacts available to a forensic investigator: a program does not need to be installed, persistent, or even still present on disk to leave a prefetch entry behind.

Each .pf file is named <EXECUTABLE>-<HASH>.pf, where the eight-character hash is derived from the full executable path. Two copies of the same binary launched from different directories produce two different prefetch files.

What the parser surfaces

For every .pf you drop in, this tool extracts:

  • Executable name and path as recorded in the prefetch header
  • SCCA version (17 = XP/Vista/7, 23 = Win8, 26 = Win8.1, 30 = Win10, 31 = Win11)
  • Run count — how many times the program has been executed
  • Last run times — the most recent execution timestamps in UTC (Win8.1+ keeps the last 8)
  • Volume information — device path, serial number, and creation time for every volume the program touched
  • Files referenced — every DLL, configuration file, and resource the executable loaded during prefetch capture

Why client-side WebAssembly

.pf files are forensic evidence. Uploading them to a third-party service to parse them defeats the chain of custody and exposes potentially sensitive artifacts. This tool compiles a pure-Rust Prefetch parser (frnsc-prefetch) to WebAssembly and runs it in a Web Worker inside your browser. Bytes never leave your machine.

Win 8+ compression

Starting with Windows 8, prefetch files are stored compressed with the Xpress Huffman algorithm and prefixed with the MAM signature. The parser detects and decompresses these transparently — you don't need to pre-process anything before dropping the folder.

Try it

Drop the contents of a Prefetch folder on the home page and you get a sortable, searchable table of every program execution, with full drill-down into volumes and loaded files. Hit Download JSON to export the parsed data for further analysis in your preferred toolchain.