Prefetch

From ForensicsWiki
Revision as of 10:33, 22 May 2007 by Jessek (Talk | contribs)

Jump to: navigation, search

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows Prefetch files, introduced in Windows XP, are designed to speed up the application startup process. Prefetch files contain the name of the executable, a list of DLLs used by that executable, a count of how many times the executable was has been run, and a timestamp indicating the last time the program was run. Prefetch files are stored in the %SystemRoot%\Prefetch directory.

Timestamps

Both the NTFS timestamps for a Prefetch file and the timestamp embedded in each Prefetch file contain valueable information. The creation date of the file indicates the first time the application was executed. Both the modification date of the file and the embedded timestamp indicate the last time the application was executed. The

Other Notes

There should never be more than 128 prefetch files [1].

See Also

External Links

  • Windows File Analyzer - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin