Difference between revisions of "Windows SuperFetch Format"

From ForensicsWiki
Jump to: navigation, search
(Compressed blocks)
(Uncompressed SuperFetch DB format)
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
 +
 +
SuperFetch, is a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management. [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx]
  
 
<b>Note that the following format specification are incomplete.</b>
 
<b>Note that the following format specification are incomplete.</b>
Line 17: Line 19:
  
 
The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compression methods:
 
The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compression methods:
* Compressed SuperFetch DB - MEM file format; Windows Vista and 7
+
* Compressed SuperFetch DB - MEMO file format; Windows Vista
 +
* Compressed SuperFetch DB - MEM0 file format; Windows  7
 
* Compressed SuperFetch DB - MAM file format; Windows 8
 
* Compressed SuperFetch DB - MAM file format; Windows 8
  
=== Compressed SuperFetch DB - MEM file format ===
+
=== Compressed SuperFetch DB - MEMO file format ===
 
The MEM file consists of:
 
The MEM file consists of:
 
* file header
 
* file header
 
* compressed blocks
 
* compressed blocks
 +
 +
This format uses the LZNT1 compression method
  
 
==== File header ====
 
==== File header ====
Line 36: Line 41:
 
| 0
 
| 0
 
| 4
 
| 4
| "MEMO" (0x4d, 0x45, 0x4d, 0x4f) <br> "MEM0" (0x4d, 0x45, 0x4d, 0x30)
+
| "MEMO" (0x4d, 0x45, 0x4d, 0x4f)
 
| Signature
 
| Signature
 
|-
 
|-
Line 46: Line 51:
 
|}
 
|}
  
Where:
+
=== Compressed SuperFetch DB - MEM0 file format ===
* "MEMO" (0x4d, 0x45, 0x4d, 0x4f) is used on Windows Vista and uses the LZNT1 compression method
+
The MEM file consists of:
* "MEM0" (0x4d, 0x45, 0x4d, 0x30) is used on Windows 7 and uses the LZXPRESS Huffman compression method
+
* file header
 +
* compressed blocks
 +
 
 +
This format uses the LZXPRESS Huffman compression method
 +
 
 +
==== Compressed blocks ====
 +
<b>TODO</b>
 +
 
 +
==== File header ====
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| "MEM0" (0x4d, 0x45, 0x4d, 0x30)
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
  
 
==== Compressed blocks ====
 
==== Compressed blocks ====
Line 74: Line 106:
  
 
=== Compressed SuperFetch DB - MAM file format ===
 
=== Compressed SuperFetch DB - MAM file format ===
On Windows 8 (seen on 8.1) the MEM file format seem to have been replaced by the MAM file format.
+
The MAM file consists of:
 +
* file header
 +
* compressed blocks
 +
 
 +
This format uses the <b>TODO</b> compression method
  
 
==== File header ====
 
==== File header ====
Line 96: Line 132:
 
<b>TODO</b>
 
<b>TODO</b>
  
=== Uncompressed SuperFetch DB format ===
+
== Uncompressed SuperFetch DB format ==
 
<b>TODO</b>
 
<b>TODO</b>
  
Line 155: Line 191:
  
 
== External Links ==
 
== External Links ==
 +
* [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx Inside the Windows Vista Kernel: Part 2], by [[Mark Russinovich]], March 2007
 
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
 
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
  
 
[[Category:File Formats]]
 
[[Category:File Formats]]

Revision as of 02:23, 18 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

SuperFetch, is a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management. [1]

Note that the following format specification are incomplete.

SuperFetch DB files

The Ag*.db files are of the SuperFetch file format. E.g.

AgAppLaunch.db
AgCx_SC*.db
AgGlFaultHistory.db
AgGlFgAppHistory.db
AgGlGlobalHistory.db
AgGlUAD_%SID%.db
AgGlUAD_P_%SID%.db
AgRobust.db

The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compression methods:

  • Compressed SuperFetch DB - MEMO file format; Windows Vista
  • Compressed SuperFetch DB - MEM0 file format; Windows 7
  • Compressed SuperFetch DB - MAM file format; Windows 8

Compressed SuperFetch DB - MEMO file format

The MEM file consists of:

  • file header
  • compressed blocks

This format uses the LZNT1 compression method

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEMO" (0x4d, 0x45, 0x4d, 0x4f) Signature
4 4 Uncompressed (total) data size

Compressed SuperFetch DB - MEM0 file format

The MEM file consists of:

  • file header
  • compressed blocks

This format uses the LZXPRESS Huffman compression method

Compressed blocks

TODO

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEM0" (0x4d, 0x45, 0x4d, 0x30) Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

The uncompressed block size is 65536 (0x10000) or the remaining uncompressed data size for the last block.

Compressed SuperFetch DB - MAM file format

The MAM file consists of:

  • file header
  • compressed blocks

This format uses the TODO compression method

File header

TODO

Offset Size Value Description
0 4 "MAM\x84" (0x4d, 0x41, 0x4d, 0x84) Signature

Compressed blocks

TODO

Uncompressed SuperFetch DB format

TODO

TRX files

The Ag*.db.trx files are of the TRX file format. E.g.

AgCx_SC*.db.trx

Note that the following format specification is incomplete.

File header

The file header is variable of size and consists of:

Offset Size Value Description
0 4 1 Unknown (Version?)
4 4 Unknown
8 4 File size
12 4 Maximum number of records (of the record offsets array)
16 4 Number of records
20 ... Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.

Record

TODO describe

See Also

External Links