A Python script to parse Windows Prefetch files
Project description
Python script created to parse Windows Prefetch files: Supports XP - Windows 10 Prefetch files
Description
The Windows application prefetch mechanism was put in place to offer performance benefits when launching applications. It just so happens to be one of the more beneficial forensic artifacts regarding evidence of applicaiton execution as well. prefetch.py provides functionality for parsing prefetch files for all current prefetch file versions: 17, 23, 26, and 30.
Features
Specify a single prefetch file or a directory of prefetch files
CSV output support
(Limited) Windows 10 support - Windows 10 prefetch files must be parsed from a Windows 8+ workstation
Command-Line Options
For now, prefetch.py requires only one command-line option: --file can specify a single Prefetch file, or a directory of Prefetch files to parse:
dev@computer:~$ ./prefetch.py -h usage: prefetch.py [-h] [-c] [-f FILE] optional arguments: -h, --help show this help message and exit -c, --csv Present results in CSV format -f FILE, --file FILE Parse a given Prefetch file
Single Prefetch File
Using the --file / -f switch with a single prefetch file results in the output below:
dev@computer:~$ python prefetch.py -f CMD.EXE-4A81B364.pf
=====================
CMD.EXE-4A81B364.pf
=====================
Executable Name: CMD.EXE
Run count: 2
Last Executed: 2016-01-16 20:26:42.515108
Volume Information:
Volume Name: \DEVICE\HARDDISKVOLUME2
Creation Date: 2016-01-16 21:15:18.109374
Serial Number: 88008c2f
Directory Strings:
\DEVICE\HARDDISKVOLUME2\WINDOWS
\DEVICE\HARDDISKVOLUME2\WINDOWS\BRANDING
\DEVICE\HARDDISKVOLUME2\WINDOWS\BRANDING\BASEBRD
\DEVICE\HARDDISKVOLUME2\WINDOWS\GLOBALIZATION
\DEVICE\HARDDISKVOLUME2\WINDOWS\GLOBALIZATION\SORTING
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32
Resources loaded:
1: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTDLL.DLL
2: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNEL32.DLL
3: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\APISETSCHEMA.DLL
4: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNELBASE.DLL
5: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\LOCALE.NLS
6: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CMD.EXE
7: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSVCRT.DLL
8: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINBRAND.DLL
9: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USER32.DLL
10: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\GDI32.DLL
11: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\LPK.DLL
12: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USP10.DLL
13: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IMM32.DLL
14: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSCTF.DLL
15: \DEVICE\HARDDISKVOLUME2\WINDOWS\BRANDING\BASEBRD\BASEBRD.DLL
16: \DEVICE\HARDDISKVOLUME2\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
Muliple Prefetch Files
Use the same syntax as above, but point the script to a directory of Prefetch files.
CSV Format
Using the --csv / -c flag will provide results in CSV format:
Last Executed, Executable Name, Run Count 2016-01-20 16:01:27.680128, ADOBEIPCBROKER.EXE-c8d02fab, 1 2016-01-20 16:59:42.077480, CREATIVE CLOUD UNINSTALLER.EX-216b8ea8, 1 2016-01-19 18:07:18.101626, MSIEXEC.EXE-a2d55cb6, 37237 2016-01-20 16:11:15.818394, ACRODIST.EXE-782bc2b2, 1
References
This project would not have been possible without the work of others much smarter than I. The prefetch file format is not officially documented by Microsoft and has been understood through reverse engineering, and trial-and-error.
Additionally, Without the excellent work by Francesco Picasso in understanding the Windows 10 prefetch compression method, I would not have been able to get Windows 10 parsed here. I use a modified version of his decompression script in prefetch.py. Francesco’s original script can be found at the link below:
To gain a better understanding of the prefetch file format, check out the following resources; which were all used as references for the creation of my script:
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file windowsprefetch-4.0.3.tar.gz.
File metadata
- Download URL: windowsprefetch-4.0.3.tar.gz
- Upload date:
- Size: 10.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.4.2 requests/2.22.0 setuptools/45.2.0 requests-toolbelt/0.8.0 tqdm/4.30.0 CPython/3.8.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 9bbc69059bf5dc2e37411d3156c0d176c4a20a72ee980a8436a885e0f65ecce1 |
|
| MD5 | 03eb8466539f06324e47f250265a539c |
|
| BLAKE2b-256 | 20db1753db8e4c5fa0326c40484b139306fe9526a8cb2e884b899870de669dac |
