Difference between pages "List of Cyberspeak Podcast Interviews" and "SuperFetch"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (2008)
 
(Components)
 
Line 1: Line 1:
The [[Cyberspeak podcast]] usually features at least one interview per show. The guests on each show are listed below.
+
{{Expand}}
  
=== 2005 ===
+
SuperFetch is a performance enhancement introduced in [[Microsoft]] [[Windows|Windows Vista]] to reduce the time necessary to launch applications. SuperFetch works with the memory manager service in Windows to analyze memory usage patterns over time to determine the optimal memory content for a given user for a date or time of day. This differs from the [[Prefetch]] technique used in Microsoft Windows XP, which preloads data into memory without analyzing usage patterns.
  
* 18 Dec 2005: [[Nick Harbour]], author of [[Dcfldd|dcfldd]]
+
From [http://msdn.microsoft.com/en-us/library/windows/hardware/dn653317(v=vs.85).aspx]: SuperFetch prioritizes the following kinds of pages to remain in memory:
* 31 Dec 2005: [[Jesse Kornblum]], author of [[foremost]] and [[md5deep]]
+
* Pages of applications that are used most frequently overall.
 +
* Pages of applications that are commonly used when resuming:  
 +
** After extensive hibernation (for example, first thing in the morning).
 +
** After shorter periods of sleep or hibernation (for example, after lunch).
  
=== 2006 ===
+
If SuperFetch detects that the system drive is a fast SSD (as measured by Windows Experience Index Disk score), then SuperFetch turns off [[ReadyBoot]], [[ReadyBoost]], and the SuperFetch service itself.
  
* 7 Jan 2006: [[Drew Fahey]], author of [[Helix]]
+
== Components ==
* 18 Jan 2006: [[Simple Nomad]]
+
=== Robust performance ===
* 21 Jan 2006: [[Johnny Long]]
+
Robust performance (or robustness) is a component of SuperFetch to watch for specific file I/O access that might harm system performance by populating the standby lists with unneeded data.
* 28 Jan 2006: [[Kevin Mandia]]
+
  
 +
== Scenarios ==
 +
SuperFetch distinguishes between different scenarios to accurately measure performance.
  
* 4 Feb 2006: [[Brian Carrier]]
+
=== Cold scenario ===
* 11 Feb 2006: [[Jesse Kornblum]]
+
In a cold scenario, the test applications are not already in memory when the test begins. Cold scenarios measure performance either after a state transition, such as boot or resume from hibernation, or after another application claims most of the available memory, such as after launching and quitting a game.
* 18 Feb 2006: [[Bruce Potter]] of the Shmoo Group
+
* 25 Feb 2006: [[Kris Kendall]] speaks about malware analysis
+
  
 +
=== Warm scenario ===
 +
In a warm scenario, some or all the scenario contents are in memory before measurement. This usually means that the test has run at least once during this logon session.
  
* 4 Mar 2006: [[Dave Merkel]]
+
== Configuration ==
* 11 Mar 2006: [[James Wiebe]] of [[Wiebe Tech]]. Also [[Todd Bellows]] of [[LogiCube]] about [[CellDek]]
+
* 18 Mar 2006: [[Kris Kendall]]
+
* 25 Mar 2006: (No interview)
+
  
 +
Because SuperFetch appears to leave a system with no available memory, some users turn it off to create the appearance of having more free memory. The feature can be configured by changing the [[Registry]] value [http://www.codinghorror.com/blog/archives/000688.html]:
 +
<pre>
 +
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
 +
Value: EnableSuperfetch
 +
</pre>
  
* 1 Apr 2006: [[Harlan Carvey]], creator of the [[Forensic Server Project]]
+
A value of zero disables SuperFetch, one enables it for booting only, two for applications, and three for both applications and boot. This setting can also be changed using the Services console, <tt>services.msc</tt> [http://tiredblogger.wordpress.com/2007/03/27/superfetch-not-so-super-for-gaming/].
* 8 Apr 2006: (No interview)
+
* 15 Apr 2006: (No interview), but first to mention the [[Main_Page|Forensics Wiki]]!
+
* 22 Apr 2006: [[Jaime Florence]] about [[Mercury]], a text indexing product
+
  
 +
== File Formats ==
  
* 6 May 2006: [[Mark Rache]] and [[Dave Merkel]]
+
Data for SuperFetch is gathered by the <tt>%SystemRoot%\System32\Sysmain.dll</tt>, part of the Service Host process, <tt>%SystemRoot%\System32\Svchost.exe</tt>, and stored in a series of files in the <tt>%SystemRoot%\Prefetch</tt> directory [http://www.microsoft.com/technet/technetmag/issues/2007/03/VistaKernel/]. These files appear to start with the prefix <tt>Ag</tt> and have a <tt>.db</tt> extension. Note that there are likely more SuperFetch database files named differently, presumably all using the .db extension.
* 13 May 2006: [[Steve Bunting]]
+
* 21 May 2006: [[Mike Younger]]
+
* 29 May 2006: [[Mike Younger]]
+
  
 +
The format of the SuperFetch database files is not fully known, there is available unofficial partial specification [http://blog.rewolf.pl/blog/?p=214] and open source (GPL) dumper for .db files [http://code.google.com/p/rewolf-superfetch-dumper/]. For more information see [[Windows SuperFetch Format|SuperFetch Format]].
  
* 3 Jun 2006: [[Jesse Kornblum]] about [[Windows Memory Analysis]]
+
The SuperFetch feature is seeded with some basic usage patterns when the operating system is installed [http://channel9.msdn.com/showpost.aspx?postid=242429].
* 10 Jun 2006: (No interview)
+
* 17 Jun 2006: [[Mike Younger]]
+
* 24 Jun 2006: (No interview)
+
  
 +
The SuperFetch service is managed by the File Information FS MiniFilter service. It appears that most of the SuperFetch database files are updated (written) when the service is shut down. AgAppLaunch.db is also written when the service starts.
  
* 1 Jul 2006: (No interview)
+
== See Also ==
* 9 Jul 2006: [[Johnny Long]]
+
* [[Prefetch]]
* 18 Jul 2006: [[Dark Tangent]]
+
* [[ReadyBoost]]
* 30 Jul 2006: [[Jesse Kornblum]] about [[Ssdeep|ssdeep]] and [[Context Triggered Piecewise Hashing|Fuzzy Hashing]]
+
* [[ReadyBoot]]
 +
* [[Windows SuperFetch Format|SuperFetch Format]]
 +
* [[Windows]]
  
 +
== External Links ==
 +
* [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx Inside the Windows Vista Kernel: Part 2], by [[Mark Russinovich]], March 2007
 +
* [http://download.microsoft.com/download/7/E/7/7E7662CF-CBEA-470B-A97E-CE7CE0D98DC2/Win7Perf.docx Performance Testing Guide for Windows], by [[Microsoft]], August 18, 2009 
 +
* [http://en.wikipedia.org/wiki/Windows_Vista_I/O_technologies#SuperFetch Wikipedia: Windows Vista I/O technologies - SuperFetch]
 +
* [http://channel9.msdn.com/showpost.aspx?postid=242429 Channel 9 Interview with Michael Fortin of Microsoft on SuperFetch]
 +
* [http://www.informationweek.com/news/showArticle.jhtml?articleID=196902178 Microsoft Predicts The Future With Vista's SuperFetch] from Information Week
 +
* [http://jessekornblum.com/presentations/dodcc08-2.pdf DC3 Presentation: My You Look SuperFetching], by Jesse Kornblum
  
* 10 Aug 2006: [[Brian Contos]] discusses his book ''Insider Threat: Enemy at the Watercooler''
+
== Tools ==
* 13 Aug 2006: [[Richard Bejtlich]] discusses his book ''Real Digital Forensics''
+
=== Open Source ===
* 27 Aug 2006: [[David Farquhar]]
+
* [https://code.google.com/p/rewolf-superfetch-dumper/ rewolf-superfetch-dumper]
  
 
+
[[Category:Windows]]
* 3 Sep 2006: [[Keith Jones]]
+
* 10 Sep 2006: (No Interview)
+
* 17 Sep 2006: (No Interview)
+
* 24 Sep 2006: (No Interview)
+
 
+
 
+
* 1 Oct 2006: [[Brian Kaplan]], author of [[LiveView]]
+
* 8 Oct 2006: [[Tom Gallagher]] discusses his book ''Hunting Security Bugs''
+
* 15 Oct 2006: (No Interview)
+
* 29 Oct 2006: (No Interview)
+
 
+
 
+
* 12 Nov 2006: [[Jesse Kornblum]] discusses his paper ''Exploiting the Rootkit Paradox with Windows Memory Analysis''
+
* 19 Nov 2006: [[Kris Kendall]] discusses unpacking binaries when conducting malware analysis
+
* 26 Nov 2006: (No Interview)
+
 
+
 
+
* 3 Dec 2006: [[Brian Dykstra]]
+
* 10 Dec 2006: [[Mike Younger]]
+
* 17 Dec 2006: [[Mike Younger]] and [[Geoff Michelli]]
+
 
+
=== 2007 ===
+
 
+
* 7 Jan 2007: [[Jamie Butler]]
+
* 17 Jan 2007: [[Chad McMillan]]
+
* 28 Jan 2007: [[Jesse Kornblum]]
+
 
+
 
+
* 11 Feb 2007: [[Scott Moulton]]
+
* 18 Fen 2007: [[Phil Zimmerman]], creator of [[PGP]] discussing his new [[Zfone]]
+
* 25 Feb 2007: [[Mark Menz]] and [[Jeff Moss]]
+
 
+
 
+
* 4 Mar 2007: No show due to technical difficulties
+
* 12 Mar 2007: [[Trevor Fairchild]] of [[Ontario Provincial Police Department]] discussing [[C4P]] and [[C4M]], both add-ons to [[EnCase]]
+
* 18 Mar 2007: [[Tony Hogeveen]] of [[DeepSpar]] Date Recovery Systems
+
* 25 Mar 2007: Shmoocon broadcast
+
 
+
 
+
* 1 Apr 2007: [[Kevin Smith]] from LTU Technologies about [[Image Seeker]]
+
* 15 Apr 2007: [[Jim Christy]] from the [[Defense Cyber Crime Center]]
+
* 22 Apr 2007: [[Jesse Kornblum]] all about the [[Main_Page|Forensics Wiki]]!
+
* 29 Apr 2007: [[Harlan Carvey]] discusses his new book
+
 
+
 
+
* 13 May 2007: [[Russell Yawn]]
+
* 20 May 2007: No interview
+
 
+
 
+
* 2 June 2007: No interview
+
* 10 June 2007: [[Paul Ohm]]
+
* 17 June 2007: No interview
+
* 24 June 2007: No interview
+
 
+
 
+
* 1 July 2007: No interview
+
* 22 July 2007: [[Didier Stevens]] about the [[UserAssist]] registry parser
+
* 29 July 2007: No interview
+
 
+
 
+
* 23 Sep 2007: No interview
+
* 30 Sep 2007: No interview
+
 
+
 
+
* 15 Oct 2007: No interview
+
 
+
 
+
* 12 Nov 2007: No interview
+
 
+
 
+
* 21 Dec 2007: No interview
+
 
+
=== 2008 ===
+
 
+
* 14 Jan 2008: No interview
+
 
+
 
+
* 10 Feb 2008: No interview
+
* 17 Feb 2008: Unknown
+
 
+
 
+
* 8 Mar 2008: [[Simson L. Garfinkel|Dr. Simson Garfinkel]] about the [[AFF|Advanced Forensic Format]]
+
 
+
* 16 Mar 2008: No interview
+
 
+
* 31 Mar 2008: No interview
+
 
+
 
+
* 13 Apr 2008: No interview
+
 
+
* 27 Apr 2008: No interview
+
 
+
 
+
* 10 May 2008: [[Al Lewis]] from [http://subrosasoft.com/ Subrosasoft] about the [[Mac Lockpick]]
+
 
+
 
+
* 1 Jun 2008:  [[Mark McKinnon]] from [http://redwolfcomputerforensics.com/ Red Wolf Computer Forensics] about his [[CSC Parser]].
+
 
+
* 15 Jun 2008: No interview
+
 
+
* 28 Jun 2008: No interview
+
 
+
 
+
* 6 Sep 2008: [[Jesse Kornblum]] about fun tricks with computer memory
+
 
+
* 28 Sep 2008: [[Kevin Mandia]] about incident response
+

Revision as of 06:10, 28 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

SuperFetch is a performance enhancement introduced in Microsoft Windows Vista to reduce the time necessary to launch applications. SuperFetch works with the memory manager service in Windows to analyze memory usage patterns over time to determine the optimal memory content for a given user for a date or time of day. This differs from the Prefetch technique used in Microsoft Windows XP, which preloads data into memory without analyzing usage patterns.

From [1]: SuperFetch prioritizes the following kinds of pages to remain in memory:

  • Pages of applications that are used most frequently overall.
  • Pages of applications that are commonly used when resuming:
    • After extensive hibernation (for example, first thing in the morning).
    • After shorter periods of sleep or hibernation (for example, after lunch).

If SuperFetch detects that the system drive is a fast SSD (as measured by Windows Experience Index Disk score), then SuperFetch turns off ReadyBoot, ReadyBoost, and the SuperFetch service itself.

Components

Robust performance

Robust performance (or robustness) is a component of SuperFetch to watch for specific file I/O access that might harm system performance by populating the standby lists with unneeded data.

Scenarios

SuperFetch distinguishes between different scenarios to accurately measure performance.

Cold scenario

In a cold scenario, the test applications are not already in memory when the test begins. Cold scenarios measure performance either after a state transition, such as boot or resume from hibernation, or after another application claims most of the available memory, such as after launching and quitting a game.

Warm scenario

In a warm scenario, some or all the scenario contents are in memory before measurement. This usually means that the test has run at least once during this logon session.

Configuration

Because SuperFetch appears to leave a system with no available memory, some users turn it off to create the appearance of having more free memory. The feature can be configured by changing the Registry value [2]:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
Value: EnableSuperfetch

A value of zero disables SuperFetch, one enables it for booting only, two for applications, and three for both applications and boot. This setting can also be changed using the Services console, services.msc [3].

File Formats

Data for SuperFetch is gathered by the %SystemRoot%\System32\Sysmain.dll, part of the Service Host process, %SystemRoot%\System32\Svchost.exe, and stored in a series of files in the %SystemRoot%\Prefetch directory [4]. These files appear to start with the prefix Ag and have a .db extension. Note that there are likely more SuperFetch database files named differently, presumably all using the .db extension.

The format of the SuperFetch database files is not fully known, there is available unofficial partial specification [5] and open source (GPL) dumper for .db files [6]. For more information see SuperFetch Format.

The SuperFetch feature is seeded with some basic usage patterns when the operating system is installed [7].

The SuperFetch service is managed by the File Information FS MiniFilter service. It appears that most of the SuperFetch database files are updated (written) when the service is shut down. AgAppLaunch.db is also written when the service starts.

See Also

External Links

Tools

Open Source