prefetch

Definition

Prefetch is a Windows performance feature that records how executables are loaded and run, allowing the operating system to optimize subsequent launches. It generates `.pf` files that contain execution metadata for recently run programs.

Prefetch is one of the strongest sources of **execution evidence**. Unlike artifacts that only indicate file presence, Prefetch confirms that a program was actually executed on the system.

Prefetch files are stored at: `C:\Windows\Prefetch`

Each file follows the format: `PROGRAMNAME-HASH.pf`

### **Data Stored in Prefetch**

- Executable name
- Full or partial file path (derived via hash correlation)
- Run count (number of executions)
- Last execution timestamp (multiple timestamps on newer Windows versions)
- Files and directories accessed during execution
- Volume information (device path, serial number)

The hash represents a path-based identifier, allowing multiple entries for the same executable in different locations.

### **Why It Matters**

Prefetch provides **direct, host-level proof of execution**, which is critical in incident response and forensic investigations.

- **Confirms execution of binaries** — not just presence
- **Tracks frequency of use** — useful for identifying automation or repeated attacker activity
- **Reveals execution context** — accessed files and directories provide behavioral clues
- **Survives file deletion** — even if malware removes itself, Prefetch often persists

Prefetch

Definition

Related Terms

Examples & Use Cases