Windows Prefetch File Format
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examinationof multiple prefetch files.
Contents
Characteristics
| Integers | stored in little-endian |
| Strings | Stored as UTF-16 little-endian without a byte-order-mark (BOM). |
| Timestamps | Stored as Windows FILETIME in UTC. |
File header
The file header is 84 bytes of size and consists of:
| Field | Offset | Length | Type | Notes |
|---|---|---|---|---|
| H1 | 0x0000 | 4 | DWORD | Format version (see format version section below) |
| H2 | 0x0004 | 4 | DWORD | Signature 'SCCA' (or in hexadecimal representation 0x53 0x43 0x43 0x4) |
| H3 | 0x0008 | 4 | DWORD? | Unknown - Values observed: 0x0F - Windows XP, 0x11 - Windows 7, Windows 8.1 |
| H4 | 0x000C | 4 | DWORD | Prefetch file size (or length) (sometimes referred to as End of File (EOF)). |
| H5 | 0x0010 | 60 | USTR | The name of the (original) executable as a Unicode (UTF-16 litte-endian string), up to 29 characters and terminated by an end-of-string character (U+0000). This name should correspond with the one in the prefetch file filename. |
| H6 | 0x004C | 4 | DWORD | The prefetch hash. This hash value should correspond with the one in the prefetch file filename. |
| H7 | 0x0050 | 4 | ? | Unknown (flags)? Values observed: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP) |
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
Format version
| Value | Windows version |
|---|---|
| 17 (0x11) | Windows XP, Windows 2003 |
| 23 (0x17) | Windows Vista, Windows 7 |
| 26 (0x1a) | Windows 8.1 (note this could be Windows 8 as well but has not been confirmed) |
File information
The format of the file information is version dependent.
Note that some other format specifications consider the file information part of the file header.
File information - version 17
The file information – version 17 is 68 bytes of size and consists of:
| Field | Offset | Length | Type | Notes |
|---|---|---|---|---|
| 0x0054 | 4 | DWORD | The offset to section A. The offset is relative from the start of the file. | |
| 0x0058 | 4 | DWORD | The number of entries in section A. | |
| 0x005C | 4 | DWORD | The offset to section B. The offset is relative from the start of the file. | |
| 0x0060 | 4 | DWORD | The number of entries in section B. | |
| 0x0064 | 4 | DWORD | The offset to section C. The offset is relative from the start of the file. | |
| 0x0068 | 4 | DWORD | Length of section C. | |
| 0x006C | 4 | DWORD | Offset to section D. The offset is relative from the start of the file. | |
| 0x0070 | 4 | DWORD | The number of entries in section D. | |
| 0x0074 | 4 | DWORD | Length of section D. | |
| 0x0078 | 8 | FILETIME | Latest execution time (or run time) of executable (FILETIME) | |
| 0x0080 | 16 | ? | Unknown ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/ (don't exclude the possibility here that this is remnant data) | |
| 0x0090 | 4 | DWORD | Execution counter (or run count) | |
| 0x0094 | 4 | DWORD? | Unknown ? Observed values: 1, 2, 3, 4, 5, 6 (XP) |
File information - version 23
The file information – version 23 is 156 bytes of size and consists of:
| Field | Offset | Length | Type | Notes |
|---|---|---|---|---|
| 0x0054 | 4 | DWORD | The offset to section A. The offset is relative from the start of the file. | |
| 0x0058 | 4 | DWORD | The number of entries in section A. | |
| 0x005C | 4 | DWORD | The offset to section B. The offset is relative from the start of the file. | |
| 0x0060 | 4 | DWORD | The number of entries in section B. | |
| 0x0064 | 4 | DWORD | The offset to section C. The offset is relative from the start of the file. | |
| 0x0068 | 4 | DWORD | Length of section C. | |
| 0x006C | 4 | DWORD | Offset to section D. The offset is relative from the start of the file. | |
| 0x0070 | 4 | DWORD | The number of entries in section D. | |
| 0x0074 | 4 | DWORD | Length of section D. | |
| 0x0078 | 8 | ? | Unknown | |
| 0x0080 | 8 | FILETIME | Latest execution time (or run time) of executable (FILETIME) | |
| 0x0088 | 16 | ? | Unknown | |
| 0x0098 | 4 | DWORD | Execution counter (or run count) | |
| 0x009C | 4 | DWORD? | Unknown | |
| 0x00A0 | 80 | ? | Unknown |
File information - version 26
The file information – version 26 is 224 bytes of size and consists of:
| Field | Offset | Length | Type | Notes |
|---|---|---|---|---|
| 0x0054 | 4 | DWORD | The offset to section A. The offset is relative from the start of the file. | |
| 0x0058 | 4 | DWORD | The number of entries in section A. | |
| 0x005C | 4 | DWORD | The offset to section B. The offset is relative from the start of the file. | |
| 0x0060 | 4 | DWORD | The number of entries in section B. | |
| 0x0064 | 4 | DWORD | The offset to section C. The offset is relative from the start of the file. | |
| 0x0068 | 4 | DWORD | Length of section C. | |
| 0x006C | 4 | DWORD | Offset to section D. The offset is relative from the start of the file. | |
| 0x0070 | 4 | DWORD | The number of entries in section D. | |
| 0x0074 | 4 | DWORD | Length of section D. | |
| 0x0078 | 8 | ? | Unknown | |
| 0x0080 | 8 | FILETIME | Latest execution time (or run time) of executable (FILETIME) | |
| 0x0088 | 7 x 8 = 56 | FILETIME | Older (most recent) latest execution time (or run time) of executable (FILETIME) | |
| 0x00C0 | 16 | ? | Unknown | |
| 0x00D0 | 4 | DWORD | Execution counter (or run count) | |
| 0x00D4 | 4 | ? | Unknown | |
| 0x00D8 | 4 | ? | Unknown | |
| 0x00DC | 88 | ? | Unknown |
Section A - Metrics array
Metrics entry record - version 17
The metrics entry records – version 17 is 20 bytes in size and consists of:
| Field | Offset | Length | Type | Notes |
|---|---|---|---|---|
| 0 | 4 | DWORD | Start time in ms | |
| 4 | 4 | DWORD | Duration in ms | |
| 8 | 4 | DWORD | Filename string offset The offset is relative to the start of the filename string section (section C) | |
| 12 | 4 | DWORD | Filename string number of characters without end-of-string character | |
| 16 | 4 | DWORD | Unknown, flags? |
Metrics entry record - version 23
The metrics entry records – version 23 is 32 bytes in size and consists of:
| Field | Offset | Length | Type | Notes |
|---|---|---|---|---|
| 0 | 4 | DWORD | Start time in ms | |
| 4 | 4 | DWORD | Duration in ms | |
| 8 | 4 | DWORD | Average duration in ms? | |
| 12 | 4 | DWORD | Filename string offset The offset is relative to the start of the filename string section (section C) | |
| 16 | 4 | DWORD | Filename string number of characters without end-of-string character | |
| 20 | 4 | DWORD | Unknown, flags? | |
| 24 | 8 | NTFS file reference 0 if not set. |
Metrics entry record - version 26
The metrics entry record – version 26 appears to be similar to metrics entry record – version 23.
Section B - Trace chains array
This section contains an array with 12 byte (version 17, 23 and 26) entry records.
| Field | Offset | Length | Type | Notes |
|---|---|---|---|---|
| 0 | 4 | Next array entry index Contains the next trace chain array entry index in the chain, where the first entry index starts with 0, or -1 (0xffffffff) for the end-of-chain. | ||
| 4 | 4 | Total block load count Number of blocks loaded (or fetched) The block size 512k (512 x 1024) bytes | ||
| 8 | 1 | Unknown | ||
| 9 | 1 | Sample duration in ms? | ||
| 10 | 2 | Unknown |
Section C - Filename strings
This section contains filenames strings, it consists of an array of UTF-16 little-endian formatted strings with end-of-string characters (U+0000).
At the end of the section there seems to be alignment padding that can contain remnant values.
Section D - Volumes information (block)
Section D contains one or more subsections, each subsection refers to directories on a volume.
If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections. (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).
In this section, all offsets are assumed to be counted from the start of the D section.
Volume information
The structure of the volume information is version dependent.
Volume information - version 17
The volume information – version 17 is 40 bytes in size and consists of:
| Field | Offset | Length | Type | Notes |
|---|---|---|---|---|
| VI1 | +0x0000 | 4 | DWORD | Offset to volume device path (Unicode, terminated by U+0000) |
| VI2 | +0x0004 | 4 | DWORD | Length of volume device path (nr of characters, including terminating U+0000) |
| VI3 | +0x0008 | 8 | FILETIME | Volume creation time. |
| VI4 | +0x0010 | 4 | DWORD | Volume serial number of volume indicated by volume string |
| VI5 | +0x0014 | 4 | DWORD | Offset to sub section E |
| VI6 | +0x0018 | 4 | DWORD | Length of sub section E (in bytes) |
| VI7 | +0x001C | 4 | DWORD | Offset to sub section F |
| VI8 | +0x0020 | 4 | DWORD | Number of strings in sub section F |
| VI9 | +0x0024 | 4 | ? | Unknown |
Volume information - version 23
The volume information entry – version 23 is 104 bytes in size and consists of:
| Field | Offset | Length | Type | Notes |
|---|---|---|---|---|
| VI1 | +0x0000 | 4 | DWORD | Offset to volume device path (Unicode, terminated by U+0000) |
| VI2 | +0x0004 | 4 | DWORD | Length of volume device path (nr of characters, including terminating U+0000) |
| VI3 | +0x0008 | 8 | FILETIME | Volume creation time. |
| VI4 | +0x0010 | 4 | DWORD | Volume serial number of volume indicated by volume string |
| VI5 | +0x0014 | 4 | DWORD | Offset to sub section E |
| VI6 | +0x0018 | 4 | DWORD | Length of sub section E (in bytes) |
| VI7 | +0x001C | 4 | DWORD | Offset to sub section F |
| VI8 | +0x0020 | 4 | DWORD | Number of strings in sub section F |
| VI9 | +0x0024 | 4 | ? | Unknown |
| VI10 | +0x0028 | 28 | ? | Unknown |
| VI11 | +0x0044 | 4 | ? | Unknown |
| VI12 | +0x0048 | 28 | ? | Unknown |
| VI13 | +0x0064 | 4 | ? | Unknown |
Volume information - version 26
The volume information entry – version 26 appears to be similar to volume information – version 23.
Sub section E - NTFS file references
This sub section can contain NTFS file references.
For more information see Windows Prefetch File (PF) format.
Sub section F - Directory strings
This sub sections contains directory strings. The number of strings is stored in the volume information.
A directory string is stored in the following structure:
| Field | Offset | Length | Type | Notes |
|---|---|---|---|---|
| 0x0000 | 2 | DWORD | Number of characters (WORDs) of the directory name. The value does not include the end-of-string character. | |
| 0x0002 | USTR | The directory name as a Unicode (UTF-16 litte-endian string) terminated by an end-of-string character (U+0000). |
See Also
External Links
- Windows Prefetch File (PF) format, by the libssca project
- Windows Prefetch file format, by the prefetch-parser project.
参考:
Windows prefetch file 百度
Windows Prefetch File Format - ForensicsWiki
==================================================================Windows-prefetch-files
What are prefetch files?
Each time an application is run in a Windows based system, registry keys and a prefetch file (%windir%\*.pf) which contains information about the files loaded by the application are created. The information in the prefetch files are used for optimizing the loading time of the application for the next times it will be run.
The prefetch directory seems to be limited to 128 entries.
The below screenshot shows prefetch files on a Windows XP machine:
Tools
Following tools enable to view prefetch files and information:
====================================================================================================WinPrefetchView
Contents
Description
Each time an application is run in a Windows based system, registry keys and a prefetch file (%windir%\*.pf) which contains information about the files loaded by the application are created. The information in the prefetch files are used for optimizing the loading time of the application for the next times it will be run.
The prefetch directory seems to be limited to 128 entries.
WinPrefetchView is a small utility that reads the prefetch files and displays the information stored in them (files used, files loaded on Windows boot).
Installation
WinPrefecthFile can be downloaded here: http://www.nirsoft.net/utils/winprefetchview.zip.
Unzip the zip archive and start WinPrefetchView.exe either in Command Line (CLI) or in Graphical (GUI) mode.
Command line options
-
/folder <Folder>
- Start WinPrefetchView with Prefetch folder from another instance of Windows operating system. /prefetchfile <Filename>
- You can use this command-line parameter with the other save commands (/shtml, /stab, and so on) in order to export the records of specific .pf file into text/html/csv file
- Example: WinPrefetchView.exe /shtml "C:\temp\records.html" /prefetchfile "C:\windows\Prefetch\NTOSBOOT-B00DFAAD.pf" /stext <Filename>
- Save the list of Prefetch files into a regular text file. /stab <Filename>
- Save the list of Prefetch files into a tab-delimited text file. /scomma <Filename>
- Save the list of Prefetch files into a comma-delimited text file (csv). /stabular <Filename>
- Save the list of Prefetch files into a tabular text file. /shtml <Filename>
- Save the list of Prefetch files into HTML file (Horizontal). /sverhtml <Filename>
- Save the list of Prefetch files into HTML file (Vertical). /sxml <Filename>
- Save the list of Prefetch files into XML file. /sort <column>
- This command-line option can be used with other save options for sorting by the desired column. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface.
- The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "File Size" and "Filename". You can specify the '~' prefix character (e.g: "~Created Time") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns.
- Examples:
- WinPrefetchView.exe /shtml "f:\temp\Prefetch.html" /sort 2 /sort ~1
- WinPrefetchView.exe /shtml "f:\temp\Prefetch.html" /sort "~Modified Time" /nosort
- When you specify this command-line option, the list will be saved without any sorting.
Examples
CLI
Say you want to have the list of prefetch files via a remote connections. You can achieve this with PsExec.
C:\pstools> psexec \\192.168.1.24 -u administrator -p password -c WinPrefetchView.exe /stext d:\temp\prefetch.txt
It will create a file D:\temp\prefetch.txt on the target as follows:
================================================== Filename : WORDPAD.EXE-02314C89.pf Created Time : 02/04/2013 19:22:11 Modified Time : 02/04/2013 21:07:02 File Size : 25 212 Process EXE : WORDPAD.EXE Process Path : C:\PROGRAM FILES\WINDOWS NT\ACCESSOIRES\wordpad.exe Run Counter : 2 Last Run Time : 02/04/2013 21:06:52 ================================================== ================================================== Filename : WPFFONTCACHE_V0400.EXE-212A3846.pf Created Time : 29/03/2013 15:30:48 Modified Time : 29/03/2013 23:46:46 File Size : 19 582 Process EXE : WPFFONTCACHE_V0400.EXE Process Path : C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\WPF\WPFFONTCAC HE_V0400.EXE Run Counter : 2 Last Run Time : 29/03/2013 23:46:36 ================================================== ================================================== Filename : WSCNTFY.EXE-1B24F5EB.pf Created Time : 21/01/2012 18:09:48 Modified Time : 02/04/2013 21:34:27 File Size : 11 538 Process EXE : WSCNTFY.EXE Process Path : C:\WINDOWS\system32\wscntfy.exe Run Counter : 239 Last Run Time : 02/04/2013 21:34:17 ================================================== [REMOVED]
GUI
In GUI mode, the window looks like this:
3232
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
