ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Prefetch XML

From ForensicsWiki
Revision as of 17:20, 5 July 2011 by Lg (Talk | contribs)

Jump to: navigation, search

A Prefetch file is used by Windows NT to improve the startup process of an application. Each prefetch file provides information about each ran application.

XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<prefetch>
   <header>
     <os>Windows 7</os>
     <header_size>240</header_size>
     <filename>ACRORD32INFO.EXE</filename>
     <runs>3</runs>
     <atime>2011-02-07T12:24:52</atime>
   </header>
   <volume>
     <path>/DEVICE/HARDDISKVOLUME1</path>
     <serial_number>b46f6927</serial_number>
   </volume>
   <creation>2010-08-18T06:13:10</creation>
   <filenames>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/NTDLL.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNEL32.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/APISETSCHEMA.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNELBASE.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/LOCALE.NLS</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/ADVAPI32.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/MSVCRT.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SECHOST.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/RPCRT4.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/WINSXS/X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5/MSVCR80.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32INFO.EXE</file>
     <file>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/WININET.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SHLWAPI.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/GDI32.DLL</file>
   </filenames>
   <directories>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MSN TOOLBAR</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MSN TOOLBAR\PLATFORM</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MSN TOOLBAR\PLATFORM\6.3.2348.0</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\COMPANION</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\COMPANION\EN</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\INSTALLER</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\SHARED</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEANOTE</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEARCH BOX EXTENSION</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEARCH HELPER</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\USERS</dir>
   </directories>
</prefetch>

See Also