Difference between revisions of "Prefetch"

From ForensicsWiki
Jump to: navigation, search
(Initial stub)
 
(Added max prefetch file limit)
Line 4: Line 4:
 
== Timestamps ==
 
== Timestamps ==
 
Both the [[NTFS]] timestamps for a Prefetch file and the timestamp embedded in each Prefetch file contain valueable information. The creation date of the file indicates the first time the application was executed. Both the modification date of the file and the embedded timestamp indicate the last time the application was executed. The
 
Both the [[NTFS]] timestamps for a Prefetch file and the timestamp embedded in each Prefetch file contain valueable information. The creation date of the file indicates the first time the application was executed. Both the modification date of the file and the embedded timestamp indicate the last time the application was executed. The
 +
 +
== Other Notes ==
 +
There should never be more than 128 prefetch files [http://blogs.msdn.com/ryanmy/archive/2005/05/25/421882.aspx].
  
 
== See Also ==
 
== See Also ==

Revision as of 11:33, 22 May 2007

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows Prefetch files, introduced in Windows XP, are designed to speed up the application startup process. Prefetch files contain the name of the executable, a list of DLLs used by that executable, a count of how many times the executable was has been run, and a timestamp indicating the last time the program was run. Prefetch files are stored in the %SystemRoot%\Prefetch directory.

Timestamps

Both the NTFS timestamps for a Prefetch file and the timestamp embedded in each Prefetch file contain valueable information. The creation date of the file indicates the first time the application was executed. Both the modification date of the file and the embedded timestamp indicate the last time the application was executed. The

Other Notes

There should never be more than 128 prefetch files [1].

See Also

External Links

  • Windows File Analyzer - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin