A lightweight Windows Prefetch file parser to extract programs' execution history.
Malware Development Course Syllabus
Offensive Phishing Operations Course Syllabus
Ransomware Internals, Simulation and Detection Course Syllabus
- Parses Windows Prefetch files (
.pf) from Windows 10/11 (version 30/31). - Extracts execution timestamps, run counts, loaded DLLs, and accessed directories.
- Filters by specific executable names.
- Outputs the data in JSON format.
Prefetch is a Windows performance feature that monitors application startup and records execution traces to speed up future launches. Each time a program runs, Windows creates or updates a .pf file under C:\Windows\Prefetch containing metadata about that execution. This metadata typically includes timestamps, run counts, referenced files (including DLLs), file paths, and accessed directories. Prefetch files can be utilized in both offensive and defensive contexts:
-
Offensive Context - Developed for the Persistence Modules of the Maldev Academy Malware Development Course to identify frequently executed programs.
-
Defensive Context - Investigate executed applications and detect techniques like DLL sideloading.
Usage: PrefetchFileParser.exe <options>
Options:
/o <path> Output JSON file path (default: PrefetchData.json)
/p <path> Prefetch directory path (default: C:\Windows\Prefetch)
/b <binary> Filter by binary name (can be specified up to 64 times)
/h, /? Display this help message
Examples:
PrefetchFileParser.exe
PrefetchFileParser.exe /o Output.json
PrefetchFileParser.exe /b cmd.exe /b powershell.exe
PrefetchFileParser.exe /p 'C:\PrefetchBackup' /o Results.json
Note: The
/bfilter requires the full filename including.exeextension.
- Running the tool to extract
Chrome.exe's history.
- Loaded files reveal
DLLEXTRACTCHROMIUMSECRETS.DLL, which is a part of our DumpBrowserSecrets repo.
