# Decoding Prefetch Files with Eric Zimmerman's PECmd Tool

Prefetch files in Windows are used to speed up the loading of software. Analyzing these files can provide insights about program execution history, which is valuable in digital forensics.

#### Step 1: Download the Tool

* Go to [Eric Zimmerman's GitHub repository or his official website](https://ericzimmerman.github.io/#!index.md) to find the latest version of the tool.
* Download the PECmd tool, which may be part of his command line tools suite.

#### Step 2: Prepare the Environment

* Extract the downloaded zip file to a folder of your choice.
* Place the Prefetch files you wish to analyze into a directory that's easily accessible.

#### Step 3: Open Command Prompt and Navigate to the Tool's Directory

Win + R, type `cmd`, and hit Enter to open the Command Prompt.

```bash
cd C:\Users\Profile\IR\Tools
```

#### Step 4: Execute the PECmd Tool

* To analyze a single Prefetch file:

```bash
.\PECmd.exe -f C:\Windows\Prefetch\BRAVE.EXE-E6B9ADB7.pf
```

* For analyzing all Prefetch files in a directory:

<pre class="language-bash"><code class="lang-bash"><strong>.\PECmd.exe -d C:\Windows\Prefetch\
</strong></code></pre>

#### Step 5: Review the Output

* The tool will parse the Prefetch files and display the output in the Command Prompt.
* Information includes application run times, execution counts, and accessed files.

#### Step 6: Export the Results

* To export to a CSV file:

{% code overflow="wrap" %}

```bash
.\PECmd.exe -d C:\Windows\Prefetch\ -csv C:\Users\Profile\IR\Investigations\HOSTNAME_PrefetchOutput.csv
```

{% endcode %}

#### Step 7: Analyze the CSV Output

* Open the CSV in your preferred program and analyze the data for execution patterns.

#### Additional Options

* For a list of all commands:

```bash
.\PECmd.exe --help
```

#### Using PECmd.exe on a CSV of Prefetch Names

Sometimes, when I'm conducting incident response, I only ahve access to CrowdStrike Real Time Response (RTR) which tends to be more often than not. Depending on your permissions level, you may not have access to run PECmd.exe within a live response option or on the host.

In cases like this, I grab an output of all of the file names within the hosts prefetch and parse them on my workstation.

To use `PECmd.exe` on a CSV of Prefetch file names:

1. Ensure your CSV file is formatted properly, with each Prefetch file path on a separate line.

{% code overflow="wrap" %}

```powershell
Get-ChildItem -Path C:\Windows\Prefetch*.pf | Select-Object -ExpandProperty FullName | Export-Csv -Path C:\Windows\Temp\prefetch_file_names.csv -NoTypeInformation
```

{% endcode %}

2. Use a script to read each line from the CSV and pass it to `PECmd.exe` for processing.

### Example PowerShell script snippet

{% code overflow="wrap" %}

```powershell
# Define paths
$PECmdPath = "E:\ZurSec\Blogs\Prefetch\PECmd.exe"
$PrefetchDir = "C:\Windows\Prefetch"
$OutputDir = "E:\ZurSec\Blogs\Prefetch"
$OutputCsv = Join-Path $OutputDir "Output.csv"
$OutputTimelineCsv = Join-Path $OutputDir "OutputTimeline.csv"

# Ensure the output directory exists
if (-not (Test-Path -Path $OutputDir)) {
    New-Item -ItemType Directory -Path $OutputDir
}

# Collect the Prefetch file paths
$prefetchFiles = Get-ChildItem -Path $PrefetchDir -Filter "*.pf"

# Initialize the output CSVs
if (Test-Path $OutputCsv) { Remove-Item $OutputCsv }
if (Test-Path $OutputTimelineCsv) { Remove-Item $OutputTimelineCsv }

foreach ($file in $prefetchFiles) {
    & $PECmdPath -f $file.FullName --csv $OutputDir

    # Determine the names of the newly created CSV files
    $timestamp = Get-Date -Format "yyyyMMddHHmmss"
    $detailCsv = Join-Path $OutputDir ($timestamp + "_PECmd_Output.csv")
    $timelineCsv = Join-Path $OutputDir ($timestamp + "_PECmd_Output_Timeline.csv")

    # Append the contents to the Output and OutputTimeline CSVs
    if (Test-Path $detailCsv) {
        if (!(Test-Path $OutputCsv)) {
            Copy-Item $detailCsv $OutputCsv
        } else {
            Get-Content $detailCsv | Select-Object -Skip 1 | Add-Content $OutputCsv
        }
        Remove-Item $detailCsv
    }

    if (Test-Path $timelineCsv) {
        if (!(Test-Path $OutputTimelineCsv)) {
            Copy-Item $timelineCsv $OutputTimelineCsv
        } else {
            Get-Content $timelineCsv | Select-Object -Skip 1 | Add-Content $OutputTimelineCsv
        }
        Remove-Item $timelineCsv
    }
}
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://windows.dfirhandbook.com/windows-artifacts/program-execution/prefetch/decoding-prefetch-files-with-eric-zimmermans-pecmd-tool.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.