Windows Prefetch files
Windows Prefetch files
When a program is run in Windows, it stores its information for future use. This stored information is used to load the program quickly in case of frequent use. This information is stored in prefetch files which are located in the C:\Windows\Prefetch directory.
Prefetch files have an extension of .pf. Prefetch files contain the last run times of the application, the number of times the application was run, and any files and device handles used by the file. Thus it forms an excellent source of information about the last executed programs and files.
We can use Prefetch Parser (PECmd.exe) from Eric Zimmerman's tools for parsing Prefetch files and extracting data. When we run PECmd.exe in an elevated command prompt, we get this output:
Administrator: Command Prompt
user@machine$ PECmd.exe
PECmd version 1.4.0.0
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/PECmd
d Directory to recursively process. Either this or -f is required
f File to process. Either this or -d is required
k Comma separated list of keywords to highlight in output. By default, 'temp' and 'tmp' are highlighted. Any additional keywords will be added to these.
o When specified, save prefetch file bytes to the given path. Useful to look at decompressed Win10 files
q Do not dump full details about each file processed. Speeds up processing when using --json or --csv. Default is FALSE
json Directory to save json representation to.
jsonf File name to save JSON formatted results to. When present, overrides default name
csv Directory to save CSV results to. Be sure to include the full path in double quotes
csvf File name to save CSV formatted results to. When present, overrides default name
html Directory to save xhtml formatted results to. Be sure to include the full path in double quotes
dt The custom date/time format to use when displaying timestamps. See https://goo.gl/CNVq0k for options. Default is: yyyy-MM-dd HH:mm:ss
mp When true, display higher precision for timestamps. Default is FALSE
vss Process all Volume Shadow Copies that exist on drive specified by -f or -d . Default is FALSE
dedupe Deduplicate -f or -d & VSCs based on SHA-1. First file found wins. Default is TRUE
debug Show debug information during processing
trace Show trace information during processing
Examples: PECmd.exe -f "C:\Temp\CALC.EXE-3FBEF7FD.pf"
PECmd.exe -f "C:\Temp\CALC.EXE-3FBEF7FD.pf" --json "D:\jsonOutput" --jsonpretty
PECmd.exe -d "C:\Temp" -k "system32, fonts"
PECmd.exe -d "C:\Temp" --csv "c:\temp" --csvf foo.csv --json c:\temp\json
PECmd.exe -d "C:\Windows\Prefetch"
Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes
Either -f or -d is required. ExitingTo run Prefetch Parser on a file and save the results in a CSV, we can use the following command:
PECmd.exe -f <path-to-Prefetch-files> --csv <path-to-save-csv>
Similarly, for parsing a whole directory, we can use the following command:
PECmd.exe -d <path-to-Prefetch-directory> --csv <path-to-save-csv>
We can use this information to answer the questions at the end.
Windows 10 Timeline
Windows 10 stores recently used applications and files in an SQLite database called the Windows 10 Timeline. This data can be a source of information about the last executed programs. It contains the application that was executed and the focus time of the application. The Windows 10 timeline can be found at the following location:
C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\ActivitiesCache.db
We can use Eric Zimmerman's WxTCmd.exe for parsing Windows 10 Timeline. We get the following options when we run it:Administrator: Command Prompt
user@machine$ WxTCmd.exe
WxTCmd version 0.6.0.0
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/WxTCmd
f File to process. Required
csv Directory to save CSV formatted results to. Be sure to include the full path in double quotes
dt The custom date/time format to use when displaying timestamps. See https://goo.gl/CNVq0k for options. Default is: yyyy-MM-dd HH:mm:ss
Examples: WxTCmd.exe -f "C:\Users\eric\AppData\Local\ConnectedDevicesPlatform\L.eric\ActivitiesCache.db" --csv c:\temp
Database files are typically found at 'C:\Users\\AppData\Local\ConnectedDevicesPlatform\L.\ActivitiesCache.db'
Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes
-f is required. ExitingWe can use the following command to run WxTCmd:
WxTCmd.exe -f <path-to-timeline-file> --csv <path-to-save-csv>
Windows Jump Lists
Windows introduced jump lists to help users go directly to their recently used files from the taskbar. We can view jumplists by right-clicking an application's icon in the taskbar, and it will show us the recently opened files in that application. This data is stored in the following directory:
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
Jumplists include information about the applications executed, first time of execution, and last time of execution of the application against an AppID.
We can use Eric Zimmerman's JLECmd.exe to parse Jump Lists. We get the following options when we run it:Administrator: Command Prompt
user@machine$ JLECmd.exe
JLECmd version 1.4.0.0
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/JLECmd
d Directory to recursively process. Either this or -f is required
f File to process. Either this or -d is required
q Only show the filename being processed vs all output. Useful to speed up exporting to json and/or csv. Default is FALSE
all Process all files in directory vs. only files matching *.automaticDestinations-ms or *.customDestinations-ms. Default is FALSE
csv Directory to save CSV formatted results to. Be sure to include the full path in double quotes
csvf File name to save CSV formatted results to. When present, overrides default name
html Directory to save xhtml formatted results to. Be sure to include the full path in double quotes
json Directory to save json representation to. Use --pretty for a more human readable layout
pretty When exporting to json, use a more human readable layout. Default is FALSE
ld Include more information about lnk files. Default is FALSE
fd Include full information about lnk files (Alternatively, dump lnk files using --dumpTo and process with LECmd). Default is FALSE
appIds Path to file containing AppIDs and descriptions (appid|description format). New appIds are added to the built-in list, existing appIds will have their descriptions updated
dumpTo Directory to save exported lnk files
withDir When true, show contents of Directory not accounted for in DestList entries
Debug Debug mode
dt The custom date/time format to use when displaying timestamps. See https://goo.gl/CNVq0k for options. Default is: yyyy-MM-dd HH:mm:ss
mp Display higher precision for timestamps. Default is FALSE
Examples: JLECmd.exe -f "C:\Temp\f01b4d95cf55d32a.customDestinations-ms" --mp
JLECmd.exe -f "C:\Temp\f01b4d95cf55d32a.automaticDestinations-ms" --json "D:\jsonOutput" --jsonpretty
JLECmd.exe -d "C:\CustomDestinations" --csv "c:\temp" --html "c:\temp" -q
JLECmd.exe -d "C:\Users\e\AppData\Roaming\Microsoft\Windows\Recent" --dt "ddd yyyy MM dd HH:mm:ss.fff"
Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes
Either -f or -d is required. ExitingWe can use the following command to parse Jumplists using JLECmd.exe:
JLECmd.exe -f <path-to-Jumplist-file> --csv <path-to-save-csv>
Last updated