What is Windows Prefetch? (glossary)
Windows Prefetch is a directory of .pf files at
C:\Windows\Prefetch\ maintained by the Prefetcher subsystem.
Each .pf file is created the first time a binary executes and
updated on subsequent runs. The file records up to 8 execution
timestamps (10 on Windows 11), a run count, and the list of files
the binary loaded in its first 10 seconds of execution.
It is the strongest Windows artefact for proving execution.
A .pf exists if and only if the binary actually ran (assuming
Prefetch is enabled, which it is by default on Windows desktops).
What each .pf contains#
| Field | Value |
|---|---|
| Executable name | From the filename, e.g. NOTEPAD.EXE. |
| Path hash | Suffix on the filename — not a content hash. |
| Run count | How many times the binary ran. |
| Last run time(s) | Up to 8 timestamps (10 on Win 11). |
| Files loaded | DLLs and data files referenced in first ~10s. |
| Volumes referenced | Source volume serial numbers. |
Prefetch vs Amcache#
| Prefetch | Amcache | |
|---|---|---|
| Proves execution? | Yes | No — presence only |
| Records hash? | No (path hash only) | Yes (SHA-1) |
| Records run times? | Yes, up to 8/10 | No |
| Records publisher / version? | No | Yes |
| Survives binary deletion? | Yes (file deletion only) | Yes |
| Default-on? | Yes (desktops) | Yes |
| Common Server default? | Often disabled | Enabled |
For full coverage, see Amcache vs Prefetch.
When Prefetch wins#
- "Did this binary actually execute?" —
.pfexistence is definitive. - "When did it run?" — up to 8/10 timestamps per binary.
- "What did it load?" — the files-loaded list often surfaces DLLs the attacker injected.
When Amcache wins#
- "What's the SHA-1?" — Prefetch has no content hash.
- "Was this binary present but never run?" — Amcache catches it; Prefetch does not exist for never-run binaries.
- "Driver / device evidence" — Amcache has dedicated schemas; Prefetch only records userspace PE execution.
Parsing tools#
- PECmd (Zimmerman) — produces structured CSV from a Prefetch directory. The standard tool for parsing the Windows Prefetch.
- Windows-Prefetch-Parser — older Python alternative.
For the broader execution-evidence picture, see Amcache vs ShimCache.
Related terms#
- Amcache.hve — the presence-evidence artefact.
- ShimCache — the kernel-side loader cache.
- SRUM — the long-window resource-usage artefact.
Related posts
- What is SRUM (SRUDB.dat)? (glossary)
SRUM is the Windows System Resource Usage Monitor — an ESE database recording per-application CPU, network, and I/O usage in hour buckets over 30-60 days.
- What's a .pf file vs an Amcache entry?
.pf files are Windows Prefetch records — proof a binary executed, with run timestamps and loaded-files lists. Amcache entries record presence, with the SHA-1 hash and metadata.
- What is ShimCache (AppCompatCache)? (glossary)
ShimCache is a kernel-maintained cache in the SYSTEM registry hive recording up to 1024 binaries the Windows loader has touched. Different from Amcache.
- What is Amcache ProgramId? (glossary)
ProgramId is the 44-character application-identity hash Amcache assigns to each logical application. The same ProgramId on different hosts means the same application install.