What's a .pf file vs an Amcache entry?

A .pf file proves the binary executed. An Amcache entry records that the file was on disk. Same binary can appear in both, in only one, or in neither, and which combination you observe is itself investigative information.

Side by side#

.pf (Prefetch) Amcache entry
Where it lives C:\Windows\Prefetch\NAME.EXE-1A2B3C4D.pf Sub-key inside Amcache.hve
Created when First time the binary runs First appraiser pass after the file appears
Maintained by Prefetcher subsystem Compatibility Appraiser task
Proves execution Yes No
Proves presence Yes (implicit, must have existed to run) Yes
SHA-1 No (path hash only) Yes (first 31 MiB)
Publisher / version No Yes
Run timestamps Yes, up to 8 (10 on Win 11) No
Inventory time No Yes (KeyLastWriteTimestamp)
Survives binary deletion Yes (.pf survives file delete) Yes
Default-on desktops Yes Yes
Default-on Servers Often disabled Enabled (slower cadence)

The four states and what each one means#

Both present#

The binary ran and the appraiser inventoried it. You have execution proof (Prefetch run times) and identity (Amcache hash + metadata). Normal case for normal software, and also for attacker tooling that didn't bother to self-delete.

Prefetch only#

The binary ran. Amcache never recorded it. Two likely reasons:

  1. The binary was deleted before the next appraiser pass. Classic stager / dropper pattern (Cobalt Strike beacons, Sliver implants, Metasploit payloads that self-delete).
  2. The binary lived in a path the appraiser does not scan.

This is a strong signal for deliberate cleanup. The file existed long enough to run and then disappeared. Worth paying close attention to.

Amcache only#

The binary is present but never executed under its own name. Reasons:

  1. Staged tool waiting for a trigger.
  2. DLL loaded only via rundll32.exe / regsvr32.exe / LoadLibrary from another EXE. That updates the other EXE's .pf, not this DLL's.
  3. Prefetch disabled on the host.

"Present but never ran" is a different finding from "executed". Useful for catching staged-but-unused tools and pre-positioned implants.

Both absent#

The binary never executed and the appraiser never saw it. Closest you get to "this never happened on this host". Not conclusive. Both artefacts can be wiped, both have coverage gaps, and short-lived files dropped and deleted between appraiser passes can leave no trace in either.

The combined workflow#

  1. Parse Amcache with AmcacheParser.
  2. Parse Prefetch with PECmd.
  3. Load both CSVs into Timeline Explorer.
  4. Apply the "unsigned PE in user-writable path" filter to Amcache.
  5. For each Amcache hit, check whether a .pf exists for the same name. Present means execution confirmed. Absent means presence-only.
  6. For each .pf, take the executable name and look up Amcache for hash and metadata.

For the full comparison, see Amcache vs Prefetch.

Related posts

  • Amcache vs Prefetch: what each one really proves

    Amcache records presence. Prefetch records execution. Where they overlap, they corroborate. Where they diverge, the divergence is the finding.

  • Why is my Amcache.hve empty?

    Three causes in order of frequency: appraiser disabled, host freshly imaged, or you're on a Server where the cadence is naturally slow. Tampering is a distant fourth.

  • Where is the Amcache registry key?

    Amcache is its own hive file, not a key under HKLM. Loaded on demand by the appraiser. Mounts at HKLM\Amcache when active.

  • What does Amcache.hve contain?

    Inventory records for every PE, driver, application, and connected device the Compatibility Appraiser has seen. SHA-1, full path, publisher, and timestamps per entry.

Back to all posts