What is Windows Prefetch? (glossary)

Windows Prefetch is the folder of .pf files the Prefetcher writes to make application startup faster. The Prefetcher records which DLLs and data files a binary loads in its first ~10 seconds, so Windows can pre-fault them next time. The forensic value is a side effect: the .pf exists if and only if the binary actually ran (assuming Prefetch is on, which it is by default on desktop builds).

That makes Prefetch the strongest Windows artefact for proving execution. It is the canonical thing to pair with Amcache when "did this binary run?" matters.

What each .pf carries#

Field Meaning
Executable name From the filename.
Path hash The suffix on the filename. Not a content hash.
Run count How many times the binary has been launched.
Last run times Up to 8 (Win 7/8/10), 10 on Win 11.
Files loaded DLLs and data files referenced in the first ~10s of execution.
Volumes referenced Source volume serial numbers.

Prefetch vs Amcache#

Prefetch Amcache
Proves execution Yes No, presence only
Records content hash No (path hash only) Yes (SHA-1)
Records run times Yes, up to 8 or 10 No
Records publisher / version No Yes
Survives binary deletion Yes Yes
Default-on desktops Yes Yes
Default-on Servers Often off On (slower cadence)

For the full comparison, see Amcache vs Prefetch.

When each one wins#

Prefetch wins on: "did this run?", "when?", "what did it load?". The files-loaded list often surfaces injected DLLs you would not otherwise see.

Amcache wins on: "what is its SHA-1?", "was it present but never run?", "what about drivers and devices?". And Amcache routinely survives much longer than Prefetch, which rolls over at around 1024 entries on modern Windows.

Parsing tools#

  • PECmd (Eric Zimmerman). Standard.
  • Windows-Prefetch-Parser. Older Python alternative, occasionally still useful.

Related posts

  • What is SRUM (SRUDB.dat)? (glossary)

    SRUM is the ESE database Windows uses to track per-application resource usage by hour over 30-60 days. The only Windows artefact with per-app network-byte totals. Critical for exfil.

  • What's a .pf file vs an Amcache entry?

    .pf is execution proof with run times. Amcache is presence with hash and metadata. Same binary in both, only one, or neither, and which combination it is matters.

  • What is Shimcache (AppCompatCache)? (glossary)

    Shimcache is the kernel-maintained loader cache in the SYSTEM hive. 1024 entries, no hash, stale until reboot. Different from Amcache; pair them.

  • What is Amcache ProgramId? (glossary)

    ProgramId is the 44-character application-identity hash Amcache stores. Stable across hosts for the same install. Catches re-compiles and renames where Hash misses.

Back to all posts