ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Prefetch XML

From ForensicsWiki
Revision as of 15:14, 5 July 2011 by Simsong (Talk | contribs) (XML Example)

Jump to: navigation, search

A Prefetch file is used by Windows NT to improve the startup process of an application. Each prefetch file provides information about each ran application.

XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<prefetch>
   <header>
     <os>Windows 7</os>
     <header_size>240</header_size>
     <filename>ACRORD32INFO.EXE</filename>
     <runs>3</runs>
     <atime>2011-02-07T12:24:52</atime>
   </header>
   <volume>
     <path>/DEVICE/HARDDISKVOLUME1</path>
     <serial_number>b46f6927</serial_number>
   </volume>
   <creation>2010-08-18T06:13:10</creation>
   <associated_files>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/NTDLL.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNEL32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/APISETSCHEMA.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNELBASE.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/LOCALE.NLS</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/ADVAPI32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/MSVCRT.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SECHOST.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/RPCRT4.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/WINSXS/X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5/MSVCR80.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32INFO.EXE</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/WININET.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SHLWAPI.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/GDI32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/USER32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/LPK.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/USP10.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/NORMALIZ.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/URLMON.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/OLE32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/OLEAUT32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/CRYPT32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/MSASN1.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/IERTUTIL.DLL</filename>
   </associated_files>
</prefetch>

See Also