Decoding Prefetch Files with Eric Zimmerman's PECmd Tool

Last updated 1 year ago

Was this helpful?

Decoding Prefetch Files with Eric Zimmerman's PECmd Tool

Prefetch files in Windows are used to speed up the loading of software. Analyzing these files can provide insights about program execution history, which is valuable in digital forensics.

Step 1: Download the Tool

Go to to find the latest version of the tool.
Download the PECmd tool, which may be part of his command line tools suite.

Step 2: Prepare the Environment

Extract the downloaded zip file to a folder of your choice.
Place the Prefetch files you wish to analyze into a directory that's easily accessible.

Step 3: Open Command Prompt and Navigate to the Tool's Directory

Win + R, type cmd, and hit Enter to open the Command Prompt.

cd C:\Users\Profile\IR\Tools

Step 4: Execute the PECmd Tool

To analyze a single Prefetch file:

.\PECmd.exe -f C:\Windows\Prefetch\BRAVE.EXE-E6B9ADB7.pf

For analyzing all Prefetch files in a directory:

.\PECmd.exe -d C:\Windows\Prefetch\

Step 5: Review the Output

The tool will parse the Prefetch files and display the output in the Command Prompt.
Information includes application run times, execution counts, and accessed files.

Step 6: Export the Results

To export to a CSV file:

.\PECmd.exe -d C:\Windows\Prefetch\ -csv C:\Users\Profile\IR\Investigations\HOSTNAME_PrefetchOutput.csv

Step 7: Analyze the CSV Output

Open the CSV in your preferred program and analyze the data for execution patterns.

Additional Options

For a list of all commands:

.\PECmd.exe --help

Using PECmd.exe on a CSV of Prefetch Names

Sometimes, when I'm conducting incident response, I only ahve access to CrowdStrike Real Time Response (RTR) which tends to be more often than not. Depending on your permissions level, you may not have access to run PECmd.exe within a live response option or on the host.

In cases like this, I grab an output of all of the file names within the hosts prefetch and parse them on my workstation.

To use PECmd.exe on a CSV of Prefetch file names:

Ensure your CSV file is formatted properly, with each Prefetch file path on a separate line.

Get-ChildItem -Path C:\Windows\Prefetch*.pf | Select-Object -ExpandProperty FullName | Export-Csv -Path C:\Windows\Temp\prefetch_file_names.csv -NoTypeInformation

Use a script to read each line from the CSV and pass it to PECmd.exe for processing.

Example PowerShell script snippet

# Define paths
$PECmdPath = "E:\ZurSec\Blogs\Prefetch\PECmd.exe"
$PrefetchDir = "C:\Windows\Prefetch"
$OutputDir = "E:\ZurSec\Blogs\Prefetch"
$OutputCsv = Join-Path $OutputDir "Output.csv"
$OutputTimelineCsv = Join-Path $OutputDir "OutputTimeline.csv"

# Ensure the output directory exists
if (-not (Test-Path -Path $OutputDir)) {
    New-Item -ItemType Directory -Path $OutputDir
}

# Collect the Prefetch file paths
$prefetchFiles = Get-ChildItem -Path $PrefetchDir -Filter "*.pf"

# Initialize the output CSVs
if (Test-Path $OutputCsv) { Remove-Item $OutputCsv }
if (Test-Path $OutputTimelineCsv) { Remove-Item $OutputTimelineCsv }

foreach ($file in $prefetchFiles) {
    & $PECmdPath -f $file.FullName --csv $OutputDir

    # Determine the names of the newly created CSV files
    $timestamp = Get-Date -Format "yyyyMMddHHmmss"
    $detailCsv = Join-Path $OutputDir ($timestamp + "_PECmd_Output.csv")
    $timelineCsv = Join-Path $OutputDir ($timestamp + "_PECmd_Output_Timeline.csv")

    # Append the contents to the Output and OutputTimeline CSVs
    if (Test-Path $detailCsv) {
        if (!(Test-Path $OutputCsv)) {
            Copy-Item $detailCsv $OutputCsv
        } else {
            Get-Content $detailCsv | Select-Object -Skip 1 | Add-Content $OutputCsv
        }
        Remove-Item $detailCsv
    }

    if (Test-Path $timelineCsv) {
        if (!(Test-Path $OutputTimelineCsv)) {
            Copy-Item $timelineCsv $OutputTimelineCsv
        } else {
            Get-Content $timelineCsv | Select-Object -Skip 1 | Add-Content $OutputTimelineCsv
        }
        Remove-Item $timelineCsv
    }
}

PreviousPrefetch NextBAM/DAM

Last updated 1 year ago

Was this helpful?

Prefetch files in Windows are used to speed up the loading of software. Analyzing these files can provide insights about program execution history, which is valuable in digital forensics.

Step 1: Download the Tool

Go to to find the latest version of the tool.
Download the PECmd tool, which may be part of his command line tools suite.

Step 2: Prepare the Environment

Extract the downloaded zip file to a folder of your choice.
Place the Prefetch files you wish to analyze into a directory that's easily accessible.

Step 3: Open Command Prompt and Navigate to the Tool's Directory

Win + R, type cmd, and hit Enter to open the Command Prompt.

cd C:\Users\Profile\IR\Tools

Step 4: Execute the PECmd Tool

To analyze a single Prefetch file:

.\PECmd.exe -f C:\Windows\Prefetch\BRAVE.EXE-E6B9ADB7.pf

For analyzing all Prefetch files in a directory:

.\PECmd.exe -d C:\Windows\Prefetch\

Step 5: Review the Output

The tool will parse the Prefetch files and display the output in the Command Prompt.
Information includes application run times, execution counts, and accessed files.

Step 6: Export the Results

To export to a CSV file:

.\PECmd.exe -d C:\Windows\Prefetch\ -csv C:\Users\Profile\IR\Investigations\HOSTNAME_PrefetchOutput.csv

Step 7: Analyze the CSV Output

Open the CSV in your preferred program and analyze the data for execution patterns.

Additional Options

For a list of all commands:

.\PECmd.exe --help

Using PECmd.exe on a CSV of Prefetch Names

In cases like this, I grab an output of all of the file names within the hosts prefetch and parse them on my workstation.

To use PECmd.exe on a CSV of Prefetch file names:

Ensure your CSV file is formatted properly, with each Prefetch file path on a separate line.

Get-ChildItem -Path C:\Windows\Prefetch*.pf | Select-Object -ExpandProperty FullName | Export-Csv -Path C:\Windows\Temp\prefetch_file_names.csv -NoTypeInformation

Use a script to read each line from the CSV and pass it to PECmd.exe for processing.

Example PowerShell script snippet

# Define paths
$PECmdPath = "E:\ZurSec\Blogs\Prefetch\PECmd.exe"
$PrefetchDir = "C:\Windows\Prefetch"
$OutputDir = "E:\ZurSec\Blogs\Prefetch"
$OutputCsv = Join-Path $OutputDir "Output.csv"
$OutputTimelineCsv = Join-Path $OutputDir "OutputTimeline.csv"

# Ensure the output directory exists
if (-not (Test-Path -Path $OutputDir)) {
    New-Item -ItemType Directory -Path $OutputDir
}

# Collect the Prefetch file paths
$prefetchFiles = Get-ChildItem -Path $PrefetchDir -Filter "*.pf"

# Initialize the output CSVs
if (Test-Path $OutputCsv) { Remove-Item $OutputCsv }
if (Test-Path $OutputTimelineCsv) { Remove-Item $OutputTimelineCsv }

foreach ($file in $prefetchFiles) {
    & $PECmdPath -f $file.FullName --csv $OutputDir

    # Determine the names of the newly created CSV files
    $timestamp = Get-Date -Format "yyyyMMddHHmmss"
    $detailCsv = Join-Path $OutputDir ($timestamp + "_PECmd_Output.csv")
    $timelineCsv = Join-Path $OutputDir ($timestamp + "_PECmd_Output_Timeline.csv")

    # Append the contents to the Output and OutputTimeline CSVs
    if (Test-Path $detailCsv) {
        if (!(Test-Path $OutputCsv)) {
            Copy-Item $detailCsv $OutputCsv
        } else {
            Get-Content $detailCsv | Select-Object -Skip 1 | Add-Content $OutputCsv
        }
        Remove-Item $detailCsv
    }

    if (Test-Path $timelineCsv) {
        if (!(Test-Path $OutputTimelineCsv)) {
            Copy-Item $timelineCsv $OutputTimelineCsv
        } else {
            Get-Content $timelineCsv | Select-Object -Skip 1 | Add-Content $OutputTimelineCsv
        }
        Remove-Item $timelineCsv
    }
}