What is Windows Prefetch? (glossary)
Windows Prefetch is the folder of .pf files the Prefetcher writes to make application startup faster. The Prefetcher records which DLLs and data files a binary loads in its first ~10 seconds, so Windows can pre-fault them next time. The forensic value is a side effect: the .pf exists if and only if the binary actually ran (assuming Prefetch is on, which it is by default on desktop builds).
That makes Prefetch the strongest Windows artefact for proving execution. It is the canonical thing to pair with Amcache when "did this binary run?" matters.
What each .pf carries#
| Field | Meaning |
|---|---|
| Executable name | From the filename. |
| Path hash | The suffix on the filename. Not a content hash. |
| Run count | How many times the binary has been launched. |
| Last run times | Up to 8 (Win 7/8/10), 10 on Win 11. |
| Files loaded | DLLs and data files referenced in the first ~10s of execution. |
| Volumes referenced | Source volume serial numbers. |
Prefetch vs Amcache#
| Prefetch | Amcache | |
|---|---|---|
| Proves execution | Yes | No, presence only |
| Records content hash | No (path hash only) | Yes (SHA-1) |
| Records run times | Yes, up to 8 or 10 | No |
| Records publisher / version | No | Yes |
| Survives binary deletion | Yes | Yes |
| Default-on desktops | Yes | Yes |
| Default-on Servers | Often off | On (slower cadence) |
For the full comparison, see Amcache vs Prefetch.
When each one wins#
Prefetch wins on: "did this run?", "when?", "what did it load?". The files-loaded list often surfaces injected DLLs you would not otherwise see.
Amcache wins on: "what is its SHA-1?", "was it present but never run?", "what about drivers and devices?". And Amcache routinely survives much longer than Prefetch, which rolls over at around 1024 entries on modern Windows.
Parsing tools#
- PECmd (Eric Zimmerman). Standard.
- Windows-Prefetch-Parser. Older Python alternative, occasionally still useful.
Related terms#
Related posts
- What is SRUM (SRUDB.dat)? (glossary)
SRUM is the ESE database Windows uses to track per-application resource usage by hour over 30-60 days. The only Windows artefact with per-app network-byte totals. Critical for exfil.
- What's a .pf file vs an Amcache entry?
.pf is execution proof with run times. Amcache is presence with hash and metadata. Same binary in both, only one, or neither, and which combination it is matters.
- What is Shimcache (AppCompatCache)? (glossary)
Shimcache is the kernel-maintained loader cache in the SYSTEM hive. 1024 entries, no hash, stale until reboot. Different from Amcache; pair them.
- What is Amcache ProgramId? (glossary)
ProgramId is the 44-character application-identity hash Amcache stores. Stable across hosts for the same install. Catches re-compiles and renames where Hash misses.