Prefetch Files - Foren-Ken/tech-journal GitHub Wiki

What Is Prefetch and Why Should I Care?

Prefetch is a file created for each application. It is to reduce the amount of time to get files required for a program to run to optimize system startup. It's located in the C:\Windows\Prefetch folder and can be used to prove that a file was ran on the Windows device. The value found through prefetch is that it will always record when an EXE is ran and won't disappear when the EXE is deleted from the system.

Each file within C:\Windows\Prefetch ends in .pf symbolizing the Pre-Fetch.

Prefetch shows the following:

1. File paths of files/folders accessed during (first 10 seconds) of application run.
2. Number of time an application was run
3. Last time an application was run.
4. Media information of volumes accessed.
5. The creation date of the prefetch is the same as the first time the application was run.

SSDs may not contain prefetch and Window Server also does not contain prefetch files. To disable this, accessing the following key would be required HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

Super Fetch is for programs which start during the system startup. Not much is known due to the lack of research.