Skip to main content
Join the official 2019 Python Developers SurveyStart the survey!

A Python script to parse Windows Prefetch files

Project description

Python script created to parse Windows Prefetch files: Supports XP - Windows 10 Prefetch files


The Windows application prefetch mechanism was put in place to offer performance benefits when launching applications. It just so happens to be one of the more beneficial forensic artifacts regarding evidence of applicaiton execution as well. provides functionality for parsing prefetch files for all current prefetch file versions: 17, 23, 26, and 30.


  • Specify a single prefetch file or a directory of prefetch files
  • CSV output support
  • (Limited) Windows 10 support - Windows 10 prefetch files must be parsed from a Windows 8+ workstation
  • Sort a directory of Prefetch files by all execution timestamps

Command-Line Options

For now, requires one of two command-line options: --file specifies a single prefetch to point the script at. --directory specifies an entire directory of prefetch files which will be parsed and printed to stdout. When using --directory / -d, remember to include the trailing slash:

dev@computer:~$ ./ -h
usage: [-h] [-c] [-d DIRECTORY] [-e EXECUTED] [-f FILE]

optional arguments:
  -h, --help            show this help message and exit
  -c, --csv             Present results in CSV format
  -d DIRECTORY, --directory DIRECTORY
                    Parse all PF files in a given directory
  -e EXECUTED, --executed EXECUTED
                    Sort PF files by ALL execution times
  -f FILE, --file FILE  Parse a given Prefetch file


Using the --file / -f switch with a single prefetch file results in the output below:

dev@computer:~$ python -f


Executable Name: CMD.EXE

Run count: 2
Last Executed: 2016-01-16 20:26:42.515108

Volume Information:
    Creation Date: 2016-01-16 21:15:18.109374
    Serial Number: 88008c2f

Directory Strings:

Resources loaded:



By invoking the --directory / -d flag, the Analyst is able to parse an entire directory of Prefetch files at once.


Sort a directory of Prefetch files by execution time. This sort will include ALL timestamps in Windows 8+ Prefetch files (up to eight per file):

dev@computer:~$ python -e Prefetch/

Execution Time, File Executed
2015-11-15 00:02:39.781250, WUAUCLT.EXE-399A8E72
2015-11-15 00:02:26.281250, VERCLSID.EXE-3667BD89
2015-11-15 00:02:24.343750, WMIPRVSE.EXE-28F301A9
2015-11-15 00:02:07.453124, RUNDLL32.EXE-451FC2C0
2015-11-15 00:01:50.765626, GOOGLEUPDATE.EXE-1E123D86
2015-11-15 00:01:08, NTOSBOOT-B00DFAAD


Using the --csv / -c flag will provide results in CSV format:

Last Executed, Executable Name, Run Count
2016-01-20 16:01:27.680128, ADOBEIPCBROKER.EXE-c8d02fab, 1
2016-01-20 16:59:42.077480, CREATIVE CLOUD UNINSTALLER.EX-216b8ea8, 1
2016-01-19 18:07:18.101626, MSIEXEC.EXE-a2d55cb6, 37237
2016-01-20 16:11:15.818394, ACRODIST.EXE-782bc2b2, 1


Testing on the prefetch file types below has been completed successfully:

  • Windows XP (version 17)
  • Windows 7 (version 23)
  • Windows 8.1 (version 26)
  • Windows 10 (version 30)


This project would not have been possible without the work of others much smarter than I. The prefetch file format is not officially documented by Microsoft and has been understood through reverse engineering, and trial-and-error.

Additionally, Without the excellent work by Francesco Picasso in understanding the Windows 10 prefetch compression method, I would not have been able to get Windows 10 parsed here. I use a modified version of his decompression script in Francesco’s original script can be found at the link below:

To gain a better understanding of the prefetch file format, check out the following resources; which were all used as references for the creation of my script:

ForensicsWiki: Windows Prefetch File Format

Libyal Project: libscca

Zena Forensics: A first look at Windows 10 Prefetch files

Python Requirements

  • from argparse import ArgumentParser
  • import binascii
  • import collections
  • import ctypes
  • from datetime import datetime,timedelta
  • import json
  • import os
  • import struct
  • import sys
  • import tempfile

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for windowsprefetch, version 3.0.5
Filename, size File type Python version Upload date Hashes
Filename, size windowsprefetch-3.0.5.tar.gz (8.4 kB) File type Source Python version None Upload date Hashes View hashes

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page