Back to all posts

Windows Prefetch parsing tools compared

There are good open-source tools for reading prefetch files. None of them is the right answer for every workflow. Here is what each one is optimized for, what it leaves out, and when to switch between them.

PECmd (Eric Zimmerman)

PECmd is the de facto command-line standard in DFIR. Written in .NET, runs on Windows, ships both as a CLI and as a library (Prefetch.dll). Supports every SCCA version from XP through Windows 11.

Strengths: complete field coverage, including the file metric flags, trace chains, and per-file directory string lists. CSV/JSON output, integrates cleanly into Eric's Triage suite (KAPE).

Weaknesses: Windows-only. .NET startup cost makes per-file processing slow when iterating; you'll usually batch a folder at a time. The CSV output is dense — useful for downstream tooling, less useful for at-a-glance review.

Best for: scripted DFIR pipelines, KAPE modules, anything that produces a structured dataset another tool will consume.

WinPrefetchView (NirSoft)

NirSoft's WinPrefetchView is the classic Windows GUI for browsing a local Prefetch\ folder.

Strengths: zero learning curve, instant visual answer to "what ran". Right-click context menu for properties, save selected entries, generate HTML reports.

Weaknesses: Windows-only. No structured output beyond simple HTML or tab-separated copy. Aging — interface and feature set haven't moved much in years. Not ideal for batch processing or for systems where running unsigned utilities is restricted.

Best for: quick triage on a Windows analyst workstation when you have the Prefetch\ folder already exported.

libscca / scca tools (libyal)

libscca is the cross-platform C library backing several toolchains (Plaso, log2timeline). It also publishes the most thorough public documentation of the SCCA format.

Strengths: cross-platform, well-documented, library-quality code. Bindings exist for Python via pyscca. The bundled sccainfo CLI gives you a clean text dump per file.

Weaknesses: no GUI, no built-in batch reporting, output is human-readable rather than machine-friendly by default.

Best for: building tooling, especially on non-Windows analysis hosts. Pair with Plaso for timeline integration.

Browser-based parsers

Browser-based parsers — including this one — load a pure-Rust SCCA decoder compiled to WebAssembly and run it in a Web Worker. No local install, no Windows requirement, files never leave the browser.

Strengths: zero install, works on any OS or device, no chain of custody concerns from sending evidence to a third party (because it isn't sent at all). Sortable/searchable table, drill-down detail panel, JSON export. Useful for ad-hoc triage when you don't have your usual toolchain at hand.

Weaknesses: depends on the modernity of the underlying Rust crate for SCCA version coverage. Less customizable than scripting against PECmd or libscca directly.

Best for: rapid triage, sharing findings with non-DFIR colleagues, running on locked-down workstations where installing analysis tooling isn't allowed, or just verifying a single .pf file end-to-end.

When to use which

A reasonable workflow:

  1. First look — drop the folder into the browser parser to triage quickly and identify the rows you care about.
  2. Bulk extraction — run PECmd over the same folder for a CSV/JSON feed into your case timeline.
  3. Investigation-grade detail — for any single .pf you need to write up rigorously, run both PECmd and sccainfo and compare. The format is well-defined enough that two independent parsers should agree; disagreements deserve attention.

No single tool is a complete answer, but the combination of a browser parser for triage and PECmd or libscca for archival output covers nearly every prefetch question that arises in practice.