Prefetching is a process in which the Windows operating system loads key pieces of data and code from disk into memory before a program is needed. The cache manager monitors files and directories accessed during application startup and stores this metadata in .pf files within the C:\Windows\Prefetch directory. These files improve system performance by helping the OS launch frequently used programs more quickly.
Each prefetch file is named using the executable’s filename, followed by a hash of the path from which it was executed. Some system executables, such as svchost.exe or rundll32.exe, also include command-line arguments in the hash. Prefetch files contain the executable name, the number of times it has been run, the timestamp of the last execution, and a list of files and libraries loaded during the first 10 seconds of execution. Due to this 10-second offset, the analyst must take it into account when determining the exact time the program was executed, as the prefetch file is written 10 seconds after execution begins.
Key technical details include:
Windows 7 and earlier store up to 128 prefetch files.
Windows 8 and later store up to 1,024 prefetch files.
Files are compressed from Windows 10 onwards.
Each file can hold up to eight embedded execution timestamps.
File system creation/modification times can offer additional timing data.
Prefetch files persist even when the executable itself has been deleted and can provide up to nine run times per file when combining internal and filesystem metadata.
Prefetch files serve as silent witnesses to malware execution. They help confirm the presence of ransomware, reconstruct the sequence of events, identify supporting tools, and understand how the attack unfolded.
Prefetch analysis allows responders to:
Confirm execution of ransomware binaries that may no longer be present.
Reconstruct a timeline of known executions using embedded and file-level timestamps.
Detect the use of secondary tools like 7-Zip, Rclone, or PsExec.
Identify execution paths including USB drives, shared folders, or external volumes.
Determine if a tool was run repeatedly or from multiple directories.
LockBit
In a ransomware attack targeting a healthcare provider, attackers deleted key malware files. Prefetch entries showed that LockBit had been executed and revealed the use of 7-Zip and Rclone shortly after. This helped confirm both data encryption and exfiltration activity, even in the absence of logs or binaries.
Conti
During a manufacturing sector breach, investigators identified prefetch entries for tools such as netscan.exe and PsExec.exe, used for lateral movement. This provided strong evidence that attackers had traversed the network before launching Conti ransomware.
REvil (Sodinokibi)
In a large-scale incident involving REvil, prefetch files confirmed the execution of ransomware from a shared network drive. Volume information linked the attack to an external source, which helped isolate the entry vector and limit spread.
Cracked Software Vector
In a separate case, a developer installed a pirated tool on a corporate laptop. Prefetch entries confirmed the application had run and showed suspicious system activity. This helped trace the source of malware and supported internal policy changes.
While prefetch files are invaluable on many Windows desktop systems, they are not always available. On Windows Server editions, prefetching is typically disabled by default to optimise performance. In addition, sophisticated attackers may deliberately clear or disable prefetching as an anti-forensic measure. On active systems, normal usage may also cause older prefetch files to be overwritten. In these situations, investigators must rely on alternative sources of evidence to understand what programs were executed, when they were run, and by whom.
Windows Server environments often lack prefetch data. However, several other artefacts can support execution analysis and help reconstruct attacker activity:
Event Logs: The Security event log, particularly Event ID 4688 (new process creation), records when executables run and under which user account.
ShimCache (AppCompatCache): Captures metadata about previously executed binaries, including paths and timestamps, though it does not show precise execution times.
Amcache.hve: Contains execution-related details such as program names, file paths, hashes, and sometimes installation metadata.
Scheduled Tasks: Malware deployed through Task Scheduler may leave records, including task names, creation times, and command-line instructions.
Windows Registry: Keys under HKLM\Software\Microsoft\Windows\CurrentVersion\Run and similar locations can reveal auto-start programs or recently accessed executables.
When combined, these artefacts often allow analysts to piece together a reliable execution timeline, even in the absence of prefetch files.
macOS does not use a prefetching system. However, it offers alternative artefacts that can support investigations into program execution and user activity:
Unified Logs: These logs record application launches, user sessions, and system activity, including time and process ID.
Quarantine Database: When a user opens a downloaded file, macOS logs metadata including the source, timestamp, and whether it was flagged by Gatekeeper.
Launch Services and TCC: Application history and access permissions may show what was executed and what files or resources were accessed.
FSEvents and Spotlight Metadata: File system monitoring and indexing tools can show file access and modification patterns that align with program use.
Together, these artefacts provide insight into system behaviour, particularly when correlated with timestamps and user activity.
Linux systems do not use prefetching but offer several valuable sources for reconstructing execution history:
Shell History Files: Files like .bash_history and .zsh_history log user-entered commands, though they can be cleared or modified.
Auditd Logs: When enabled, these logs track process creation, file access, user actions, and privilege escalation in granular detail.
System Logs: Logs such as /var/log/syslog, /var/log/auth.log, or output from journalctl can show system events, logins, and service starts.
Cron Jobs and Systemd Timers: Scheduled tasks often leave configuration files and logs, revealing persistence mechanisms or automated scripts.
Process Accounting and BPF Tools: Utilities like acct, psacct, or eBPF-based tools can provide detailed logs of command usage and resource access.
Even in minimal or hardened environments, Linux systems typically retain some record of what occurred, particularly when attackers rely on standard system tools.
In many modern networks, endpoint detection and response (EDR) platforms play a key role in tracking activity across all major operating systems. EDR tools can:
Monitor and log process creation and parent-child relationships
Capture command-line arguments and binary metadata
Record network access, file creation, and data movement
Maintain historical records even when local logs are cleared
When prefetch files are missing or tampered with, EDR telemetry often provides a reliable fallback. In combination with disk and memory analysis, it helps reconstruct the full scope of attacker activity across the estate.
Despite their value, prefetch files come with caveats:
On busy systems, older entries can be quickly overwritten.
Running investigation tools on live systems may generate new prefetch entries, pushing out older ones.
Sophisticated attackers may delete prefetch files or disable prefetching altogether via registry changes.
Note that a .pf file may be created even if the program failed to run properly. Investigators should always validate prefetch data against other artefacts.
To check or configure prefetch settings:
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
Value: EnablePrefetcher
0 = Disabled
1 = Application launch only
2 = Boot prefetching only
3 = Both enabled
Prefetch analysis typically occurs shortly after containment and image acquisition in a ransomware investigation. It forms part of the host-level forensic review and can serve as one of the earliest and most reliable indicators of execution.
The general process:
1. Identify compromised hosts based on alerts or behavioural patterns.
2. Acquire relevant artefacts, including the Prefetch directory.
3. Parse .pf files for execution details, timestamps, and accessed resources.
4. Correlate with event logs, registry entries, and EDR data to validate actions.
5. Use findings to determine malware behaviour, origin, and impact.
Beyond forensics, prefetch files can support detection in proactive threat-hunting scenarios:
Anomalous Executables – Tools like cmd.exe or powershell.exe launched from unusual paths.
Unexpected Activity Spikes – Sudden increases in execution count may suggest automated malware.
Tool Patterns – Common ransomware toolchains (e.g., 7-Zip → PsExec → Rclone) appear in sequence.
Unusual Paths – Execution from temp folders or user download directories may indicate compromise.
Periodic analysis of prefetch data, especially in environments lacking full EDR visibility, can provide an effective early-warning mechanism.
Prefetch files are a practical and often underused source of forensic intelligence. They help confirm ransomware activity, trace execution paths, identify supporting tools, and establish timelines, even when other evidence has been deleted or disabled.
While not always available, understanding how and when to use prefetch data, and where to look when it is absent, can significantly improve response efforts. Prefetch analysis should be a core skill in any forensic investigator’s toolkit, particularly in the growing fight against ransomware.