WinPrefetchView
Description
Each time an application is run in a Windows based system, registry keys and a prefetch file (%windir%\*.pf) which contains information about the files loaded by the application are created. The information in the prefetch files are used for optimizing the loading time of the application for the next times it will be run.
The prefetch directory seems to be limited to 128 entries.
WinPrefetchView is a small utility that reads the prefetch files and displays the information stored in them (files used, files loaded on Windows boot).
Installation
WinPrefecthFile can be downloaded here: http://www.nirsoft.net/utils/winprefetchview.zip.
Unzip the zip archive and start WinPrefetchView.exe either in Command Line (CLI) or in Graphical (GUI) mode.
Command line options
- /folder <Folder>
- Start WinPrefetchView with Prefetch folder from another instance of Windows operating system.
- /prefetchfile <Filename>
- You can use this command-line parameter with the other save commands (/shtml, /stab, and so on) in order to export the records of specific .pf file into text/html/csv file
- Example: WinPrefetchView.exe /shtml "C:\temp\records.html" /prefetchfile "C:\windows\Prefetch\NTOSBOOT-B00DFAAD.pf"
- /stext <Filename>
- Save the list of Prefetch files into a regular text file.
- /stab <Filename>
- Save the list of Prefetch files into a tab-delimited text file.
- /scomma <Filename>
- Save the list of Prefetch files into a comma-delimited text file (csv).
- /stabular <Filename>
- Save the list of Prefetch files into a tabular text file.
- /shtml <Filename>
- Save the list of Prefetch files into HTML file (Horizontal).
- /sverhtml <Filename>
- Save the list of Prefetch files into HTML file (Vertical).
- /sxml <Filename>
- Save the list of Prefetch files into XML file.
- /sort <column>
- This command-line option can be used with other save options for sorting by the desired column. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface.
- The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "File Size" and "Filename". You can specify the '~' prefix character (e.g: "~Created Time") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns.
- Examples:
- WinPrefetchView.exe /shtml "f:\temp\Prefetch.html" /sort 2 /sort ~1
- WinPrefetchView.exe /shtml "f:\temp\Prefetch.html" /sort "~Modified Time"
- /nosort
- When you specify this command-line option, the list will be saved without any sorting.
Examples
CLI
Say you want to have the list of prefetch files via a remote connections. You can achieve this with PsExec.
C:\pstools> psexec \\192.168.1.24 -u administrator -p password -c WinPrefetchView.exe /stext d:\temp\prefetch.txt
It will create a file D:\temp\prefetch.txt on the target as follows:
================================================== Filename : WORDPAD.EXE-02314C89.pf Created Time : 02/04/2013 19:22:11 Modified Time : 02/04/2013 21:07:02 File Size : 25 212 Process EXE : WORDPAD.EXE Process Path : C:\PROGRAM FILES\WINDOWS NT\ACCESSOIRES\wordpad.exe Run Counter : 2 Last Run Time : 02/04/2013 21:06:52 ================================================== ================================================== Filename : WPFFONTCACHE_V0400.EXE-212A3846.pf Created Time : 29/03/2013 15:30:48 Modified Time : 29/03/2013 23:46:46 File Size : 19 582 Process EXE : WPFFONTCACHE_V0400.EXE Process Path : C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\WPF\WPFFONTCAC HE_V0400.EXE Run Counter : 2 Last Run Time : 29/03/2013 23:46:36 ================================================== ================================================== Filename : WSCNTFY.EXE-1B24F5EB.pf Created Time : 21/01/2012 18:09:48 Modified Time : 02/04/2013 21:34:27 File Size : 11 538 Process EXE : WSCNTFY.EXE Process Path : C:\WINDOWS\system32\wscntfy.exe Run Counter : 239 Last Run Time : 02/04/2013 21:34:17 ================================================== [REMOVED]
GUI
In GUI mode, the window looks like this:
