Does a .pf file prove execution?

Yes. The Prefetcher creates a .pf file the first time a binary executes and updates it on subsequent runs. The mere existence of a .pf file is execution evidence (assuming Prefetch is enabled, which it is by default on Windows desktop builds).

Does an Amcache entry prove execution?

No. Amcache records presence — that the appraiser saw the file on disk during an inventory pass. A binary can appear in Amcache without ever having executed (e.g. a tool the attacker staged but never ran).

Which has hashes — .pf or Amcache?

Only Amcache. The hash in a .pf filename (e.g. NOTEPAD.EXE-1A2B3C4D.pf) is a Windows-specific path hash, not a content SHA-1. Amcache stores a real SHA-1 of the first 31 MiB of the file in the FileId field.

Which is timestamped more precisely — .pf or Amcache?

.pf files have precise per-run timestamps (up to 8/10 runs per binary). Amcache's KeyLastWriteTimestamp is the appraiser-write time, which can lag the file's actual arrival by up to 24 hours.

Can both .pf and Amcache exist for the same binary?

Usually yes. A binary that ran and was inventoried will have both. A .pf-only binary ran but the appraiser hasn't seen it (often because it was deleted between runs). An Amcache-only binary is present but never executed.

What's the difference between a .pf file and an Amcache entry?

A .pf file is a Windows Prefetch record at C:\Windows\Prefetch\ that exists if and only if the corresponding binary actually executed. It contains up to 8 run timestamps (10 on Windows 11), a run count, and the list of files the binary loaded in its first 10 seconds. An Amcache entry is a sub-key inside Amcache.hve recording that the Compatibility Appraiser inventoried a PE file present on disk — it includes the file's SHA-1 hash, full path, publisher, version, and link date, but it does NOT prove the binary ever ran. .pf files answer 'did this run?'; Amcache entries answer 'was this present?'.

What's a .pf file vs an Amcache entry?

A .pf file proves execution. An Amcache entry records presence. Same binary can appear in both, in only one, or in neither — and which combination you observe is itself investigative information.

Side by side#

	`.pf` file (Prefetch)	Amcache entry
Where it lives	`C:\Windows\Prefetch\NAME.EXE-1A2B3C4D.pf`	Sub-key inside `Amcache.hve`
Created when	First time the binary runs	First time the appraiser inventories the binary
Maintained by	Prefetcher subsystem	Compatibility Appraiser scheduled task
Proves execution?	Yes	No
Proves presence?	Yes (implicit — must have existed to run)	Yes
Has SHA-1 hash?	No (path hash only)	Yes (SHA-1 of first 31 MiB)
Has publisher / version?	No	Yes
Run timestamps?	Yes, up to 8 (10 on Win 11)	No
Inventory timestamps?	No	Yes (`KeyLastWriteTimestamp`)
Survives binary deletion?	Yes (file deletion only)	Yes (registry persistence)
Default-on Windows desktops?	Yes	Yes
Default-on Servers?	Often disabled	Enabled (slower cadence)

The four states#

For any given binary on a host, you observe one of four states. Each carries a different reading:

Both present#

The binary ran, and the appraiser inventoried it. You have execution proof (Prefetch run times) and identity proof (Amcache hash + metadata). Typical case for normal software.

Prefetch only#

The binary ran, but Amcache hasn't recorded it. Two likely reasons:

The binary was deleted before the next appraiser run. Common for stagers / droppers that self-delete after running.
The binary lives in a path the appraiser doesn't scan.

This is a strong signal for deliberate cleanup — the classic Cobalt Strike / Sliver / Metasploit stager pattern.

Amcache only#

The binary is present but never executed (or executed only as a DLL loaded by another EXE, which updates the other EXE's .pf). Reasons:

Staged tool waiting for trigger.
Loaded only via rundll32.exe / regsvr32.exe / LoadLibrary from another process.
Prefetch disabled on this host.

A "present but never ran" finding is very different from "executed". Useful for detecting staged but unused tools.

Both absent#

The binary never executed and the appraiser never inventoried it. Closest you get to "this never happened on this host" — but not conclusive. Both artefacts can be wiped, both have coverage gaps, and intra-appraiser-pass transient binaries can leave no trace.

The combined workflow#

Parse Amcache with AmcacheParser.
Parse Prefetch with PECmd.
Load both CSVs into Timeline Explorer.
Filter Amcache to "unsigned PE in user-writable path".
For each Amcache hit, check whether a .pf exists for the same Name. Present → execution confirmed. Absent → presence-only.
For each .pf, take the executable name and check Amcache for hash and metadata.

For full coverage, see Amcache vs Prefetch.