Back to all posts

Windows Prefetch parsing tools compared

There are four parsers that matter in 2026. None of them is the right answer for every workflow. The trade-offs are real, and the failure mode of picking the wrong one — silently wrong output on MAM-compressed files — is bad enough to be worth thinking about up front.

PECmd (Eric Zimmerman)

PECmd is the de facto command-line standard. .NET, runs on Windows (and Linux/macOS via the recent .NET runtimes), ships as both a CLI and the Prefetch.dll library. Supports every SCCA version from v17 through v31 cleanly.

Strengths: complete field coverage, including file-metric flags, trace chains, and per-file directory string lists. CSV/JSON output. Integrates straight into KAPE, which is where most production DFIR pipelines run it. Active maintenance.

Weaknesses: .NET startup cost makes per-file processing slow when iterating — batch a folder at a time. The CSV output is dense; useful for downstream tooling, less useful for at-a-glance review.

Best for: scripted pipelines, KAPE modules, anything producing a structured dataset another tool will consume.

WinPrefetchView (NirSoft)

NirSoft's WinPrefetchView is the classic Windows GUI for browsing a local Prefetch\ directory. Has been around essentially unchanged for over a decade.

Strengths: zero learning curve, instant visual triage, right-click context menu for properties, HTML export. Useful for showing a non-DFIR colleague what they are looking at.

Weaknesses: Windows-only. No structured output beyond simple HTML or tab-separated copy. Aging — the interface and feature set have barely moved in years. Not ideal for batch processing or for environments where running unsigned third-party utilities is restricted by policy.

Best for: quick visual triage on a Windows analyst workstation when you already have the Prefetch\ directory pulled.

libscca / pyscca (libyal)

libscca is the cross-platform C library backing Plaso/log2timeline. It also publishes the most thorough public documentation of the SCCA format — if you need to know the exact field layout for v31, this is where you look.

Strengths: cross-platform, well-documented, library-quality code. Python bindings via pyscca. The bundled sccainfo CLI gives a clean text dump per file. Used as the parser under Plaso, which means it has been validated against a large corpus of real Prefetch.

Weaknesses: no GUI, no built-in batch reporting. Output is human-readable rather than machine-friendly by default. Building on Windows is not always pleasant; most people consume it via pyscca or Plaso rather than directly.

Best for: building custom tooling on non-Windows analysis hosts. Timeline integration via Plaso.

python-prefetch-parser and friends

The various prefetchparser.py derivatives — windowsprefetch, the original Adam Witt Python tool, several forks — are still cited in older write-ups. Most are unmaintained. Most do not handle MAM compression at all, or handle v26/v30 but break on v31. They will silently emit wrong fields rather than error out.

If you inherit a pipeline that uses one of these, replace it. The cost of finding the wrong run count in a court-bound report is higher than the cost of switching to PECmd or pyscca.

Browser-based parsers

Browser-based parsers — including the one on this site — load a pure-Rust SCCA decoder (frnsc-prefetch) compiled to WebAssembly and run it in a Web Worker. No local install, no Windows requirement, files never leave the browser.

Strengths: zero install, works on any OS or device, no chain of custody concerns from sending evidence to a third party because nothing is sent. Sortable and searchable tables, drill-down detail panels, JSON export. Particularly useful for ad-hoc triage when you do not have your usual tooling at hand, and on locked-down hosts where you cannot install anything.

Weaknesses: depends on the underlying crate for SCCA version coverage. Less customizable than scripting against PECmd or libscca. No native integration with Plaso, KAPE, or whatever your case timeline is.

Best for: rapid triage, sharing findings with non-DFIR colleagues, running on hardened workstations where installing analysis tooling is not allowed, or verifying a single .pf end-to-end against a second independent parser.

When to use which

A workflow that works in practice:

  1. First look — drop the folder into a browser parser. Triage on file count, version distribution, and obvious anomalies. Pick the rows worth investigating.
  2. Bulk extraction — run PECmd over the same folder and write CSV/JSON into your case timeline. This is the archival artifact you reference in the report.
  3. Investigation-grade detail — for any single .pf you need to write up rigorously, run both PECmd and sccainfo. Two independent parsers should agree on a well-defined format; disagreements deserve attention.

No single tool covers everything. The combination of a browser parser for triage plus PECmd or libscca for archival output handles nearly every Prefetch question that comes up in real casework.

Further reading