128 entries
Maximum Prefetch files stored on Windows 10/11: oldest entries are deleted when the limit is reached; older Windows versions stored only 32 (XP/Vista) or 128 (Win 7+)
8 timestamps
Number of recent execution timestamps each Prefetch file stores: the last 8 times the program ran, enabling precise execution timeline reconstruction
C:\Windows\Prefetch
Default location for all .pf files: requires SYSTEM privilege to access; copied for offline analysis from live systems or disk images
Disabled on SSDs
Prefetch is disabled by default on some SSD-only systems (Windows may set EnablePrefetcher to 0 for SSDs): check the registry key before assuming no data

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Incident responders frequently encounter the same scenario: an attacker ran Mimikatz, PsExec, and a custom C2 implant on a compromised machine, then deleted them before leaving. The disk shows no trace of the files. But C:\Windows\Prefetch contains .pf files for all three: including the exact paths where they ran and the timestamps of every execution.

Windows writes Prefetch files for performance optimization, not for forensics. But the side effect is a complete execution history that survives file deletion and often survives even anti-forensics attempts, since most malware authors do not specifically clean Prefetch artifacts.

Prefetch File Structure and What It Records

Each Prefetch file is named: EXECUTABLENAME-XXXXXXXX.pf where XXXXXXXX is an 8-character hash of the execution path. The same binary run from two different paths creates two separate Prefetch entries.

Information in a Prefetch file:

  • Executable name (up to 29 characters)
  • Full path of the executable at execution time (not just the binary, but the exact path)
  • Number of times executed (run count)
  • Last 8 execution timestamps (Windows 8+; Windows XP/7 stores only the last run)
  • List of DLLs and files loaded during the first 10 seconds of execution
  • Volume information (drive serial number and label)

Security-relevant Prefetch entries:

MIMIKATZ.EXE-XXXXXXXX.pf          → Credential dumping tool
PSEXEC.EXE-XXXXXXXX.pf             → Remote execution tool
COBALTSTRIKE.EXE-XXXXXXXX.pf      → C2 implant
POWERSHELL.EXE-XXXXXXXX.pf        → Script execution (check loaded files for the script path)
WMIC.EXE-XXXXXXXX.pf               → WMI abuse
REGSVR32.EXE-XXXXXXXX.pf          → Squiblydoo bypass
RUNDLL32.EXE-XXXXXXXX.pf          → LOLBin execution
CMD.EXE-XXXXXXXX.pf                → Command shell activity

Note on path hashes: The 8-character hash is computed from the full path, so POWERSHELL.EXE-XXXXXXXX.pf from C:\Windows\System32 has a different hash than a renamed/moved PowerShell copy, giving forensic evidence of execution from unusual paths.

Collecting Prefetch Files from Live Systems

Option 1: Direct copy (requires SYSTEM privileges):

# Run as SYSTEM or with Invoke-Command on the target
# Verify Prefetch is enabled first
$prefetchEnabled = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" -Name "EnablePrefetcher").EnablePrefetcher
# 0 = disabled, 1 = app prefetch, 2 = boot prefetch, 3 = both
if ($prefetchEnabled -eq 0) { Write-Warning "Prefetch is disabled on this system" }

# Copy all Prefetch files
robocopy C:\Windows\Prefetch C:\Temp\Evidence\Prefetch *.pf /COPYALL /LOG:C:\Temp\prefetch-copy.log

Option 2: VSS shadow copy (access older data):

# List shadow copies
vssadmin list shadows

# Access via shadow copy path (example):
# \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\Windows\Prefetch
# Create a symlink to access it
cmd /c mklink /d C:\Shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
copy C:\Shadow\Windows\Prefetch\*.pf C:\Temp\Evidence\Prefetch\

Option 3: From a forensic disk image (offline):

# Mount the image
fls -r disk.dd | grep -i prefetch  # Find the Prefetch directory

# Extract all .pf files
icat disk.dd <inode_number> > output.pf
# Or use Autopsy/FTK to extract the C:\Windows\Prefetch directory
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Parsing Prefetch with PECmd

Eric Zimmerman's PECmd is the standard tool for parsing Windows Prefetch files.

Installation:

# Download from https://ericzimmerman.github.io/ (Eric Zimmerman's Tools)
# Or via Chocolatey:
choco install ericzimmermantools
# PECmd.exe will be in C:\tools\EZTools\

Basic analysis:

# Parse all Prefetch files and output to CSV (most useful for SIEM/timeline)
PECmd.exe -d C:\Temp\Evidence\Prefetch --csv C:\Temp\Evidence --csvf prefetch.csv

# Parse a single file with full details
PECmd.exe -f C:\Temp\Evidence\Prefetch\MIMIKATZ.EXE-XXXXXXXX.pf

# Output:
# Source file: MIMIKATZ.EXE-XXXXXXXX.pf
# Executable: MIMIKATZ.EXE
# Run count: 7
# Last run: 2026-05-14 03:17:22 UTC
# Previous run times:
#   2026-05-14 02:58:11 UTC
#   2026-05-13 22:31:05 UTC
#   ...
# Volume information: Volume0
#   Volume name: Windows
#   Serial number: AB123456
#   Created: ...
# Directories referenced:
#   \VOLUME{...}\USERS\TEMP\TOOLS        ← Path where Mimikatz ran
#   \VOLUME{...}\WINDOWS\SYSTEM32
# Files loaded:
#   \VOLUME{...}\USERS\TEMP\TOOLS\MIMIKATZ.EXE    ← Exact execution path

Building an execution timeline:

# Parse all to CSV and import into timeline tool
PECmd.exe -d C:\Temp\Evidence\Prefetch --csv C:\Temp\Evidence --csvf prefetch.csv

# The CSV includes columns:
# SourceFilename, SourceCreated, SourceModified, ExecutableName, Size, Hash,
# RunCount, LastRun, PreviousRun0..PreviousRun6, Volume0Name, Volume0Serial, ...

# Import into Excel or timeline tool to correlate with:
# - Windows Event Logs (4624, 4688)
# - NTFS $MFT timestamps
# - Browser history
# - Network connection logs

# Quick PowerShell analysis of the CSV:
Import-Csv C:\Temp\Evidence\prefetch_Timeline.csv |
  Where-Object { $_.ExecutableName -match 'MIMIKATZ|PSEXEC|COBALTSTRIKE|WMIEXEC' } |
  Select-Object ExecutableName, LastRun, RunCount |
  Sort-Object LastRun

Interpreting Prefetch Evidence in IR Context

Evidence that a tool ran even after deletion:

Finding: MIMIKATZ.EXE-AB12CD34.pf exists
Directory referenced: \VOLUME{...}\USERS\PUBLIC\DOWNLOADS\TOOLS\
Last run: 2026-05-14 03:17:22
Run count: 7

Forensic significance:
1. Mimikatz ran 7 times between the dates shown in PreviousRun0-6
2. It ran from C:\Users\Public\Downloads\tools\ (suspicious location)
3. Even if the binary was deleted, this .pf file proves execution
4. Correlate the 03:17:22 UTC timestamp with network logs to find
   which connections were made immediately after

Execution from unusual paths (renamed tools):

Finding: SVCHOST.EXE-FF44DD22.pf from path C:\Temp\
Vs normal: SVCHOST.EXE-XXXXXXXX.pf from C:\Windows\System32\

The path hash differs: this is a renamed tool masquerading as svchost.exe
Check the loaded files list in the .pf file for the actual libraries loaded
Compare DLLs loaded by the suspicious svchost vs the legitimate system svchost

PowerShell script execution:

Finding: POWERSHELL.EXE Prefetch file
Files loaded include: \VOLUME{...}\TEMP\STAGER.PS1

The script name appears in the Prefetch files/directories list even if deleted
Recover the script content from $MFT unallocated space or VSS copies

Anti-forensics awareness:

  • Tool Sdelete does not clear Prefetch (it shreds the binary, not the .pf file)
  • Timestomping the binary does not affect the Prefetch timestamps (stored independently)
  • Disabling Prefetch requires a registry change + reboot: if Prefetch was disabled after compromise, the registry change is itself an IoC
  • Clearing the Prefetch directory (del C:\Windows\Prefetch\*) leaves an event in the NTFS $LogFile and changes the directory's last-modified time

The bottom line

Windows Prefetch files in C:\Windows\Prefetch record every program execution: the executable name, full path, up to 8 run timestamps, and the total run count. They survive file deletion and persist until the 128-entry limit is hit. Parse with Eric Zimmerman's PECmd to output CSV for timeline analysis. Key forensic value: proving that attacker tools like Mimikatz, PsExec, and custom C2 implants ran: including their exact execution paths, timestamps, and run frequency: even after the binaries were deleted from disk.

Frequently asked questions

What information does a Windows Prefetch file contain?

A Windows Prefetch (.pf) file contains: the executable name and full path at execution time, the total number of times the program ran, up to 8 timestamps of recent executions (Windows 8+), a list of DLLs and files accessed during the first 10 seconds of execution, and the volume serial number of the drive it ran from. This information persists even after the original binary is deleted, making Prefetch files critical execution evidence for incident response.

How do you parse Windows Prefetch files for forensics?

Use Eric Zimmerman's PECmd tool (free, from ericzimmerman.github.io). Run PECmd.exe -d C:\Windows\Prefetch --csv output\ to parse all .pf files and export to CSV for timeline analysis. The CSV includes the executable name, all run timestamps, run count, and referenced file paths. Correlate Prefetch timestamps with Windows Event Logs (Event 4688 for process creation) and network logs to reconstruct the attack timeline.

What is a Windows Prefetch file and what forensic value does it have?

Windows Prefetch files (.pf files in C:\Windows\Prefetch) are created by the SuperFetch service to speed up application loading. They record: the name of the executable, the last 8 execution timestamps, the total run count, and paths of all files and DLLs loaded during execution. Forensically, Prefetch files prove execution: even if malware was deleted from disk, its Prefetch file persists and shows when it ran. They also reveal file paths the malware accessed (showing staging directories, exfiltration targets, or persistence mechanisms). Prefetch is enabled by default on workstations and disabled by default on Windows Server.

What forensic artifacts does Windows create when a program executes?

Windows creates multiple execution artifacts: Prefetch files (last 8 run timestamps and loaded file paths), Shimcache (AppCompatCache in the registry — records applications executed, survives reboots), Amcache.hve (registry hive recording file path, size, hash, and first execution timestamp of all run executables), UserAssist registry keys (records GUI applications run by each user with execution count and timestamp), BAM/DAM (Background/Desktop Activity Moderator — records executables run by each user in the last ~7 days), and Event ID 4688 (process creation with command line if auditing is enabled). These artifacts are complementary: using multiple sources provides cross-validation during forensic investigation.

Can attackers delete Windows Prefetch files to cover their tracks?

Yes. Attackers can delete Prefetch files with 'del C:\Windows\Prefetch\EVIL.EXE-XXXXXXXX.pf' or by clearing the entire Prefetch directory. However, deletion itself is an indicator: an otherwise clean system with a recently emptied Prefetch directory (particularly via automated scripts) is suspicious. Sysmon can log file deletion events (Event ID 23) if configured to monitor the Prefetch directory. Additionally, other execution artifacts (Shimcache, Amcache, BAM) are harder to clean comprehensively because they are stored in registry hives and require registry editing or hive deletion rather than simple file removal. A thorough attacker cleaning all artifacts is unusual: most malware either does not clean up or only cleans obvious items.

How do I correlate Prefetch timestamps with other Windows forensic artifacts to build a reliable attack timeline?

Prefetch timestamps are most valuable when combined with at least two other artifact sources because clock skew, volume shadow copy age differences, and NTFS timestamp manipulation can each introduce inaccuracies in a single-source timeline. Use PECmd to export Prefetch data to CSV, then import into a timeline tool such as Plaso (log2timeline) or a spreadsheet. Layer in Event ID 4688 process creation timestamps from the Security event log (if process auditing was enabled), Shimcache entries from SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache (parsed with AppCompatCacheParser from Eric Zimmerman's tools), and Amcache.hve first-execution timestamps (parsed with AmcacheParser). Where Prefetch records that a binary ran multiple times, check whether the corresponding 4688 events exist -- if 4688 events are missing for runs that Prefetch recorded, audit logging may have been disabled or the log was cleared, which is itself an indicator. Finally, correlate execution timestamps with outbound network connections from Zeek or firewall logs: malware execution followed within 30-120 seconds by a new outbound connection to an uncategorized or newly registered domain is one of the highest-confidence lateral movement and C2 establishment patterns in incident response.

Sources & references

  1. Eric Zimmerman: PECmd - Prefetch Parser
  2. SANS: Windows Prefetch for IR
  3. Microsoft: Superfetch and Prefetch Documentation

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.