How to Analyze Windows Prefetch Files for Digital Forensics

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Incident responders frequently encounter the same scenario: an attacker ran Mimikatz, PsExec, and a custom C2 implant on a compromised machine, then deleted them before leaving. The disk shows no trace of the files. But C:\Windows\Prefetch contains .pf files for all three: including the exact paths where they ran and the timestamps of every execution.
Windows writes Prefetch files for performance optimization, not for forensics. But the side effect is a complete execution history that survives file deletion and often survives even anti-forensics attempts, since most malware authors do not specifically clean Prefetch artifacts.
Prefetch File Structure and What It Records
Each Prefetch file is named: EXECUTABLENAME-XXXXXXXX.pf where XXXXXXXX is an 8-character hash of the execution path. The same binary run from two different paths creates two separate Prefetch entries.
Information in a Prefetch file:
- Executable name (up to 29 characters)
- Full path of the executable at execution time (not just the binary, but the exact path)
- Number of times executed (run count)
- Last 8 execution timestamps (Windows 8+; Windows XP/7 stores only the last run)
- List of DLLs and files loaded during the first 10 seconds of execution
- Volume information (drive serial number and label)
Security-relevant Prefetch entries:
MIMIKATZ.EXE-XXXXXXXX.pf → Credential dumping tool
PSEXEC.EXE-XXXXXXXX.pf → Remote execution tool
COBALTSTRIKE.EXE-XXXXXXXX.pf → C2 implant
POWERSHELL.EXE-XXXXXXXX.pf → Script execution (check loaded files for the script path)
WMIC.EXE-XXXXXXXX.pf → WMI abuse
REGSVR32.EXE-XXXXXXXX.pf → Squiblydoo bypass
RUNDLL32.EXE-XXXXXXXX.pf → LOLBin execution
CMD.EXE-XXXXXXXX.pf → Command shell activity
Note on path hashes: The 8-character hash is computed from the full path, so POWERSHELL.EXE-XXXXXXXX.pf from C:\Windows\System32 has a different hash than a renamed/moved PowerShell copy, giving forensic evidence of execution from unusual paths.
Collecting Prefetch Files from Live Systems
Option 1: Direct copy (requires SYSTEM privileges):
# Run as SYSTEM or with Invoke-Command on the target
# Verify Prefetch is enabled first
$prefetchEnabled = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" -Name "EnablePrefetcher").EnablePrefetcher
# 0 = disabled, 1 = app prefetch, 2 = boot prefetch, 3 = both
if ($prefetchEnabled -eq 0) { Write-Warning "Prefetch is disabled on this system" }
# Copy all Prefetch files
robocopy C:\Windows\Prefetch C:\Temp\Evidence\Prefetch *.pf /COPYALL /LOG:C:\Temp\prefetch-copy.log
Option 2: VSS shadow copy (access older data):
# List shadow copies
vssadmin list shadows
# Access via shadow copy path (example):
# \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\Windows\Prefetch
# Create a symlink to access it
cmd /c mklink /d C:\Shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
copy C:\Shadow\Windows\Prefetch\*.pf C:\Temp\Evidence\Prefetch\
Option 3: From a forensic disk image (offline):
# Mount the image
fls -r disk.dd | grep -i prefetch # Find the Prefetch directory
# Extract all .pf files
icat disk.dd <inode_number> > output.pf
# Or use Autopsy/FTK to extract the C:\Windows\Prefetch directory
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Parsing Prefetch with PECmd
Eric Zimmerman's PECmd is the standard tool for parsing Windows Prefetch files.
Installation:
# Download from https://ericzimmerman.github.io/ (Eric Zimmerman's Tools)
# Or via Chocolatey:
choco install ericzimmermantools
# PECmd.exe will be in C:\tools\EZTools\
Basic analysis:
# Parse all Prefetch files and output to CSV (most useful for SIEM/timeline)
PECmd.exe -d C:\Temp\Evidence\Prefetch --csv C:\Temp\Evidence --csvf prefetch.csv
# Parse a single file with full details
PECmd.exe -f C:\Temp\Evidence\Prefetch\MIMIKATZ.EXE-XXXXXXXX.pf
# Output:
# Source file: MIMIKATZ.EXE-XXXXXXXX.pf
# Executable: MIMIKATZ.EXE
# Run count: 7
# Last run: 2026-05-14 03:17:22 UTC
# Previous run times:
# 2026-05-14 02:58:11 UTC
# 2026-05-13 22:31:05 UTC
# ...
# Volume information: Volume0
# Volume name: Windows
# Serial number: AB123456
# Created: ...
# Directories referenced:
# \VOLUME{...}\USERS\TEMP\TOOLS ← Path where Mimikatz ran
# \VOLUME{...}\WINDOWS\SYSTEM32
# Files loaded:
# \VOLUME{...}\USERS\TEMP\TOOLS\MIMIKATZ.EXE ← Exact execution path
Building an execution timeline:
# Parse all to CSV and import into timeline tool
PECmd.exe -d C:\Temp\Evidence\Prefetch --csv C:\Temp\Evidence --csvf prefetch.csv
# The CSV includes columns:
# SourceFilename, SourceCreated, SourceModified, ExecutableName, Size, Hash,
# RunCount, LastRun, PreviousRun0..PreviousRun6, Volume0Name, Volume0Serial, ...
# Import into Excel or timeline tool to correlate with:
# - Windows Event Logs (4624, 4688)
# - NTFS $MFT timestamps
# - Browser history
# - Network connection logs
# Quick PowerShell analysis of the CSV:
Import-Csv C:\Temp\Evidence\prefetch_Timeline.csv |
Where-Object { $_.ExecutableName -match 'MIMIKATZ|PSEXEC|COBALTSTRIKE|WMIEXEC' } |
Select-Object ExecutableName, LastRun, RunCount |
Sort-Object LastRun
Interpreting Prefetch Evidence in IR Context
Evidence that a tool ran even after deletion:
Finding: MIMIKATZ.EXE-AB12CD34.pf exists
Directory referenced: \VOLUME{...}\USERS\PUBLIC\DOWNLOADS\TOOLS\
Last run: 2026-05-14 03:17:22
Run count: 7
Forensic significance:
1. Mimikatz ran 7 times between the dates shown in PreviousRun0-6
2. It ran from C:\Users\Public\Downloads\tools\ (suspicious location)
3. Even if the binary was deleted, this .pf file proves execution
4. Correlate the 03:17:22 UTC timestamp with network logs to find
which connections were made immediately after
Execution from unusual paths (renamed tools):
Finding: SVCHOST.EXE-FF44DD22.pf from path C:\Temp\
Vs normal: SVCHOST.EXE-XXXXXXXX.pf from C:\Windows\System32\
The path hash differs: this is a renamed tool masquerading as svchost.exe
Check the loaded files list in the .pf file for the actual libraries loaded
Compare DLLs loaded by the suspicious svchost vs the legitimate system svchost
PowerShell script execution:
Finding: POWERSHELL.EXE Prefetch file
Files loaded include: \VOLUME{...}\TEMP\STAGER.PS1
The script name appears in the Prefetch files/directories list even if deleted
Recover the script content from $MFT unallocated space or VSS copies
Anti-forensics awareness:
- Tool Sdelete does not clear Prefetch (it shreds the binary, not the .pf file)
- Timestomping the binary does not affect the Prefetch timestamps (stored independently)
- Disabling Prefetch requires a registry change + reboot: if Prefetch was disabled after compromise, the registry change is itself an IoC
- Clearing the Prefetch directory (
del C:\Windows\Prefetch\*) leaves an event in the NTFS $LogFile and changes the directory's last-modified time
The bottom line
Windows Prefetch files in C:\Windows\Prefetch record every program execution: the executable name, full path, up to 8 run timestamps, and the total run count. They survive file deletion and persist until the 128-entry limit is hit. Parse with Eric Zimmerman's PECmd to output CSV for timeline analysis. Key forensic value: proving that attacker tools like Mimikatz, PsExec, and custom C2 implants ran: including their exact execution paths, timestamps, and run frequency: even after the binaries were deleted from disk.
Frequently asked questions
What information does a Windows Prefetch file contain?
A Windows Prefetch (.pf) file contains: the executable name and full path at execution time, the total number of times the program ran, up to 8 timestamps of recent executions (Windows 8+), a list of DLLs and files accessed during the first 10 seconds of execution, and the volume serial number of the drive it ran from. This information persists even after the original binary is deleted, making Prefetch files critical execution evidence for incident response.
How do you parse Windows Prefetch files for forensics?
Use Eric Zimmerman's PECmd tool (free, from ericzimmerman.github.io). Run PECmd.exe -d C:\Windows\Prefetch --csv output\ to parse all .pf files and export to CSV for timeline analysis. The CSV includes the executable name, all run timestamps, run count, and referenced file paths. Correlate Prefetch timestamps with Windows Event Logs (Event 4688 for process creation) and network logs to reconstruct the attack timeline.
What is a Windows Prefetch file and what forensic value does it have?
Windows Prefetch files (.pf files in C:\Windows\Prefetch) are created by the SuperFetch service to speed up application loading. They record: the name of the executable, the last 8 execution timestamps, the total run count, and paths of all files and DLLs loaded during execution. Forensically, Prefetch files prove execution: even if malware was deleted from disk, its Prefetch file persists and shows when it ran. They also reveal file paths the malware accessed (showing staging directories, exfiltration targets, or persistence mechanisms). Prefetch is enabled by default on workstations and disabled by default on Windows Server.
What forensic artifacts does Windows create when a program executes?
Windows creates multiple execution artifacts: Prefetch files (last 8 run timestamps and loaded file paths), Shimcache (AppCompatCache in the registry — records applications executed, survives reboots), Amcache.hve (registry hive recording file path, size, hash, and first execution timestamp of all run executables), UserAssist registry keys (records GUI applications run by each user with execution count and timestamp), BAM/DAM (Background/Desktop Activity Moderator — records executables run by each user in the last ~7 days), and Event ID 4688 (process creation with command line if auditing is enabled). These artifacts are complementary: using multiple sources provides cross-validation during forensic investigation.
Can attackers delete Windows Prefetch files to cover their tracks?
Yes. Attackers can delete Prefetch files with 'del C:\Windows\Prefetch\EVIL.EXE-XXXXXXXX.pf' or by clearing the entire Prefetch directory. However, deletion itself is an indicator: an otherwise clean system with a recently emptied Prefetch directory (particularly via automated scripts) is suspicious. Sysmon can log file deletion events (Event ID 23) if configured to monitor the Prefetch directory. Additionally, other execution artifacts (Shimcache, Amcache, BAM) are harder to clean comprehensively because they are stored in registry hives and require registry editing or hive deletion rather than simple file removal. A thorough attacker cleaning all artifacts is unusual: most malware either does not clean up or only cleans obvious items.
How do I correlate Prefetch timestamps with other Windows forensic artifacts to build a reliable attack timeline?
Prefetch timestamps are most valuable when combined with at least two other artifact sources because clock skew, volume shadow copy age differences, and NTFS timestamp manipulation can each introduce inaccuracies in a single-source timeline. Use PECmd to export Prefetch data to CSV, then import into a timeline tool such as Plaso (log2timeline) or a spreadsheet. Layer in Event ID 4688 process creation timestamps from the Security event log (if process auditing was enabled), Shimcache entries from SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache (parsed with AppCompatCacheParser from Eric Zimmerman's tools), and Amcache.hve first-execution timestamps (parsed with AmcacheParser). Where Prefetch records that a binary ran multiple times, check whether the corresponding 4688 events exist -- if 4688 events are missing for runs that Prefetch recorded, audit logging may have been disabled or the log was cleared, which is itself an indicator. Finally, correlate execution timestamps with outbound network connections from Zeek or firewall logs: malware execution followed within 30-120 seconds by a new outbound connection to an uncategorized or newly registered domain is one of the highest-confidence lateral movement and C2 establishment patterns in incident response.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
