Wiki

Clone wiki

prefetch-parser / Home

Windows Prefetch file format

This description is mainly based on the awesome work done at Forensics Wiki

In addition, you should check the great Prefetch 101 poster that Jared Atkinson made.

File header

OffsetLengthTypeNotes
0x00004DWORDFormat version (0x11: XP, 0x17: Win7, 0x1a: Win8)
0x00044CHARString "SCCA" ("magic")
0x00084DWORDUnknown
0x000C4DWORDSize of the prefetch file
0x001060CHARName of the executable, UTF-16LE encoded and padded with 0x00
0x004C4DWORDChecksum, computed with prioprietary algorithm (see dedicated section)
0x00504DWORDUnknown
0x00544DWORDoffset of Section A, relative to the beginning of the file
0x00584DWORDnumber of entries in Section A
0x005C4DWORDoffset of Section B, relative to the beginning of the file
0x00604DWORDnumber of entries in Section B
0x00644DWORDoffset of Section C, relative to the beginning of the file
0x00684DWORDLength, in bytes, of the Section C
0x006C4DWORDoffset of Section D, relative to the beginning of the file
0x00704DWORDnumber of Section D
0x00744DWORDTotal length, in bytes, occupied by all sections D

The remaining data brefore reaching the Section A, depends on the operating system and is described here-under.

Before Windows 8 (Windows XP, Vista, 7)

OffsetLengthTypeNotes
0x00788QWORDLast run timestamp, in MS format (100 nanoseconds intervals since January, 1st 1601)
0x00804DWORDUnknown
0x00844DWORDUnknown
0x008C4DWORDUnknown
0x00904DWORDUnknown
0x00944DWORDExecution counter

Since Windows 8

OffsetLengthTypeNotes
0x00784DWORDUnknown
0x007C4DWORDUnknown
0x00808QWORDLast run timestamp, in MS format (100 nanoseconds intervals since January, 1st 1601)
0x00887*8QWORD7 previous run timestamps, in MS format (100 nanoseconds intervals since January, 1st 1601), in reversed chronological order.
0x00C04DWORDUnknown
0x00C44DWORDUnknown
0x00CC4DWORDUnknown
0x00D04DWORDUnknown
0x00D44DWORDExecution counter

Section A

The exact meaning of this section is still unknown.

Before Windows 7 (Windows XP and Vista)

Each entry occupies 20 bytes.

Since Windows 7

Each entry occupies 32 bytes.

Section B

The exact meaning of this section is still unknonwn.

Each entry occupies 12 bytes

Section C (Fileset)

This section is an array of UTF-16LE encoded strings (hence the separator is U+0000).

Each entry in this section is a file that is needed for the loading of the application.

Section D (Volume Information section)

In a prefetch file, you can have 1 Section D per volume involved during the loading of the application.

For example, if you run an EXE from a USB key, you may find one Volume Information block related to your USB key and another one regarding the operating system volume.

This behavior is confirmed on Windows 8 but has not been seen so far on previous Windows versions.

Hereunder offsets are relative to the beginning of one Section D.

OffsetLengthTypeNotes
0x00004DWORDoffset of the VolumeID UTF-16LE encoded string
0x00044DWORDLength (expressed in Unicode characters, including the terminating U+0000) of the VolumeID string
0x00088QWORDCreation timestamp of this volume, in MS format (100 nanoseconds intervals since January, 1st 1601)
0x00104DWORDVolume serial number
0x00144DWORDOffset of subsection S1, relative to the beginning of the section
0x00184DWORDLength of subsection S1, in bytes
0x001C4DWORDOffset of the Directory Set array, relative to the beginning of the section
0x00204DWORDNumber of entries in the Directory Set array

Subsection S1

Meaning of this content is still unknown

Directory Set

Each entry represents a directory that is involved during the loading of the application.

OffsetLengthTypeNotes
0x00002WORDString length, in Unicode characters, excluding the terminating U+0000
0x0002length + 1WCHARDirectory name, UTF-16LE encoded

Checksum algorithms

The algorithms depends on the operating system version (and not the Prefetch file format version).

Here are Python implementations of the algorithms we have found so far, documented on Internet.

Windows XP

    def hashFilename(filename):
        """filename is the UTF-16 full uppercase file name"""
        hash_value = 0
        for c in filename:
            hash_value = ((hash_value * 37) + ord(c)) % 0x100000000
        hash_value = (hash_value * 312159269) % 0x100000000
        if hash_value > 0x80000000:
            hash_value = 0x100000000 - hash_value
        return (abs(hash_value) % 1000000007) % 0x100000000

Since Windows 7 (Windows 8, Windows 8.1)

    def hashFilename(filename):
        """filename is the UTF-16 full uppercase file name"""
        hash_value = 314159
        fname_index = 0
        fname_len = len(filename)
        while fname_index + 8 < fname_len:
            c = ord(filename[fname_index + 1]) * 37
            c += ord(filename[fname_index + 2])
            c *= 37
            c += ord(filename[fname_index + 3])
            c *= 37
            c += ord(filename[fname_index + 4])
            c *= 37
            c += ord(filename[fname_index + 5])
            c *= 37
            c += ord(filename[fname_index + 6])
            c *= 37
            c += ord(filename[fname_index]) * 442596621
            c += ord(filename[fname_index + 7])
            hash_value = ((c - (hash_value * 803794207))) % 0x100000000
            fname_index += 8
        while fname_index < fname_len:
            hash_value = (((37 * hash_value) + ord(filename[fname_index])) % 0x100000000)
            fname_index += 1
        return hash_value

Updated

Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.