TZWorks LLC software and related documentation ("Software") is governed by separate licenses issued from TZWorks LLC. The User Agreement, Disclaimer, and/or Software may change from time to time. By continuing to use the Software after those changes become effective, you agree to be bound by all such changes. Permission to use the Software is granted provided that (1) use of such Software is in accordance with the license issued to you and (2) the Software is not resold, transferred or distributed to any other person or entity. Refer to your specific EULA issued to for your specific the terms and conditions. There are 3 types of licenses available: (i) for educational purposes, (ii) for demonstration and testing purposes and (iii) business and/or commercial purposes. Contact TZWorks LLC (info@tzworks.com) for more information regarding licensing and/or to obtain a license. To redistribute the Software, prior approval in writing is required from TZWorks LLC. The terms in your specific EULA do not give the user any rights in intellectual property or technology, but only a limited right to use the Software in accordance with the license issued to you. TZWorks LLC retains all rights to ownership of this Software.

Export Regulation

The Software is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations. The Export Control Classification Number (ECCN) for the Software is 5D002, subparagraph C.1. The user shall not, directly or indirectly, export, re-export or release the Software to, or make the Software accessible from, any jurisdiction or country to which export, re-export or release is prohibited by law, rule or regulation. The user shall comply with all applicable U.S. federal laws, regulations and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Software available outside the U.S.

The user agrees that this Software made available by TZWorks LLC is experimental in nature and use of the Software is at user's sole risk. The Software could include technical inaccuracies or errors. Changes are periodically added to the information herein, and TZWorks LLC may make improvements and/or changes to Software and related documentation at any time. TZWorks LLC makes no representations about the accuracy or usability of the Software for any purpose.

ALL SOFTWARE ARE PROVIDED "AS IS" AND "WHERE IS" WITHOUT WARRANTY OF ANY KIND INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL TZWORKS LLC BE LIABLE FOR ANY KIND OF DAMAGE RESULTING FROM ANY CAUSE OR REASON, ARISING OUT OF IT IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE FROM THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY DAMAGES FROM ANY INACCURACIES, ERRORS, OR VIRUSES, FROM OR DURING THE USE OF THE SOFTWARE.

The Software are the original works of TZWorks LLC. However, to be in compliance with the Digital Millennium Copyright Act of 1998 ("DMCA") we agree to investigate and disable any material for infringement of copyright. Contact TZWorks LLC at email address: info@tzworks.com, regarding any DMCA concerns.

pf is a command line version Windows prefetch parser. Originally inspired by the chapter on 'prefetch analysis' as well as the perl script sample given in the book on "Windows Forensic Analysis" by Harlan Carvey [1], pf was another tool created for eventual inclusion into a computer forensic toolkit.

From Wikipedia, "the prefetcher is a component ... of Microsoft Windows starting with Windows XP... that speeds up the Windows boot process, and shortens the amount of time it takes to start up programs. In Windows Vista, SuperFetch and ReadyBoost extend upon the prefetcher and attempt to accelerate application and boot launch times..."[3]

A good source for a discussion on the internals of the mechanics of prefetching is given in the MSDN article written by Mark Russinovich and David Solomon [2].

The prefetcher behavior is controlled by the Windows registry entry: HKLM\System\CurrentControlSet\Control\Session\Manager\Memory Management\PrefetchParameters. The value for "EnablePrefetcher" can have one of the following values [3]:

    0 - Disabled
    1 - Application launch prefetching enabled
    2 - Boot prefetching enabled
    3 - Application launch and boot enabled (default)

Based on various references, Windows maintains the prefetch folder up to 128 entries.

To use this tool, an authentication file is required to be in the same directory as the binary in order for the tool to run.

Since pf is a command line tool, one will need to open the command prompt. If trying to access the prefetch (%systemroot%\prefetch) folder while running Vista or beyond, one needs to be running with admin privileges.

Below is the menu with the various options. Details of each option can be found here.

    Usage:

       pf <filename> [options]   = parse individual file
       pf -vss <index> [options] = *** do all prefetch files in Vol Shadow
       dir c:\windows\prefetch\*.pf /b /s | pf -pipe > results.txt
       pf -enumdir <location pf files> -num_subdirs <#> [options]

     Basic options
      -csv                       = output in comma separated value format
      -csvl2t                    = log2timeline output
      -bodyfile                  = sleuthkit output
      -verbose                   = force module listing to be in output

     Additional options
      -pipe                      = pipe files into app for processing
      -hostname <name>           = csv output will contain this hostname
      -dateformat mm/dd/yyyy    = "yyyy-mm-dd" is the default
      -timeformat hh:mm:ss       = "hh:mm:ss.xxx" is the default
      -pair_datetime             = combine date/time into 1 field for csv
      -no_whitespace             = remove whitespace between csv delimiter
      -csv_separator "|"         = use a pipe character for csv separator
      -pf_path                   = include prefetch path in output
      -filter <*partial*|*.ext>  = filters stdin data from -pipe option

There are 3 output formats: (1) which uses one line per prefetch file parsed and uses pipe delimiters with appropriate spaces to align columns, (2) [-csv] output, which uses comma separated value format which is good to view in excel and (3) [-v] verbose format, which uses multiple lines per prefetch file. The verbose format is useful to view the output in any text editor, while the single line per entry that uses either comma's or pipe's for delimiters is useful to view in Microsoft Excel or other spreadsheet application.

One can pipe 'path\filename' of the prefetch files into pf using the [-pipe] switch. To use this option, one needs to ensure the absolute path is given. This can be done with the use of the dir command by using the switches /b /s. Then one can redirect the output of pf to a file. See the example below for the use of the dir command:

    dir <some directory path> /b /s   

Typical usage Win32 examples include:

    To parse individual prefetch files, use:
      pf  <path\prefetch file>                               

    To parse all prefetch files in a directory, use the [-pipe] switch, eg:
      dir c:\windows\prefetch\*.pf /b /s | pf -pipe          
      dir c:\windows\prefetch\*.pf /b /s | pf -pipe -csv  

    To redirect output of pf into a file
      dir c:\windows\prefetch\*.pf /b /s | pf -pipe  > output.txt
      dir c:\windows\prefetch\*.pf /b /s | pf -pipe -csv > output.csv

    To add the module listing to your output while using a pipe
      dir c:\windows\prefetch\*.pf /b /s | pf -pipe -verbose > output.txt
      dir c:\windows\prefetch\*.pf /b /s | pf -pipe -verbose -csv > output.csv

Typical usage Linux examples include (assuming the windows prefetch files were copied to your local Linux directory):

    To parse individual prefetch files, use:
      ./pf <path/prefetch file>                             

    To parse all prefetch files in a directory, use the [-pipe] switch, eg: 
      ls /home/Prefetch/*.pf | ./pf -pipe                    
      ls /home/Prefetch/*.pf | ./pf -pipe -csv               

    To redirect output of pf into a file
      ls /home/Prefetch/*.pf | ./pf -pipe > output.txt 
      ls /home/Prefetch/*.pf | ./pf -pipe -csv > output.csv

For starters, to access Volume Shadow copies, one needs to be running with administrator privileges. Also, it is important to note that, Volume Shadow copies as is discussed here, only applies to Windows Vista, Win7, Win8, and beyond. It does not apply to Windows XP.

One can parse the prefetch files stored in a Volume Shadow via the -vss <index of volume shadow> option. This command will look for prefetch files in the standard location, and if found, parse all the files found in one session.

To determine which indexes are available from the various Volume Shadows, one can use the Windows built-in utility vssadmin, as follows:

    vssadmin list shadows

    -- or to filter out extraneous detail --
    
    vssadmin list shadows | find /i "volume"

While the amount of data can be voluminous from that above command, the keywords one needs to look for are names that look like this:

    Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
    Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
    ...

From the example above, notice the number after the word HarddiskvolumeShadowCopy. This would be the number that is passed as an argument to the -vss option.

In addition to the -vss <index of volume shadow>, we've built in a shortcut syntax in order to more easily access a specific file in a specified Volume Shadow copy, via the %vss% keyword. This internally gets expanded into \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy. Thus, to access index 1 of the volume shadow copy, one would combine the keyword and index, index, (eg. %vss%1) in front of the normal path of the file. For example, to access a file located in the testuser account from the HarddiskVolumeShadowCopy1, the following syntax can be used:

        pf %vss%1\Windows\Prefetch\CMD.EXE-00F4355.pf -v > out.txt

Option	Description
-vss	Experimental. Parse prefetch artifacts from Volume Shadow. The syntax is -vss <index number of shadow copy>. Only applies to Windows Vista, Win7, Win8 and beyond. Does not apply to Windows XP.
-csv	Outputs the data fields delimited by commas. Since filenames can have commas, to ensure the fields are uniquely separated, any commas in the filenames get converted to spaces.
-csvl2t	Outputs the data fields in accordance with the log2timeline format. For the module listing output, the default just lists unique module filenames. With the -verbose option set, the module list will include the path/filename.
-bodyfile	Outputs the data fields in accordance with the 'body-file' version3 specified in the SleuthKit. The date/timestamp outputted to the body-file is in terms of UTC. So if using the body-file in conjunction with the mactime.pl utility, one needs to set the environment variable TZ=UTC.
-verbose	Verbose output. This option will include the module listing within the output. This was the default option when parsing single pf files (not using the -pipe command) that produced multiple lines in the output. This was added for additional CSV functionality.
-pipe	Used to pipe files into the tool via STDIN (standard input). Each file passed in is parsed in sequence.
-enumdir	Experimental. Used to process files within a folder and/or subfolders. Each file is parsed in sequence. The syntax is -enumdir <"folder"> -num_subdirs <#>.
-filter	Filters data passed in via stdin via the -pipe option. The syntax is -filter <"*.ext | *partialname* | ...">. The wildcard character '*' is restricted to either before the name or after the name.
-hostname	Option is used to populate the output records with a specified hostname. The syntax is -hostname <name to use>.
-no_whitespace	Used in conjunction with -csv option to remove any whitespace between the field value and the CSV separator.
-csv_separator	Used in conjunction with the -csv option to change the CSV separator from the default comma to something else. Syntax is -csv_separator "|" to change the CSV separator to the pipe character. To use the tab as a separator, one can use the -csv_separator "tab" OR -csv_separator "\t" options.
-dateformat	Output the date using the specified format. Default behavior is -dateformat "yyyy-mm-dd". Using this option allows one to adjust the format to mm/dd/yy, dd/mm/yy, etc. The restriction with this option is the forward slash (/) or dash (-) symbol needs to separate month, day and year and the month is in digit (1-12) form versus abbreviated name form.
-timeformat	Output the time using the specified format. Default behavior is -timeformat "hh:mm:ss.xxx" One can adjust the format to microseconds, via "hh:mm:ss.xxxxxx" or nanoseconds, via "hh:mm:ss.xxxxxxxxx", or no fractional seconds, via "hh:mm:ss". The restrictions with this option is that a colon (:) symbol needs to separate hours, minutes and seconds, a period (.) symbol needs to separate the seconds and fractional seconds, and the repeating symbol 'x' is used to represent number of fractional seconds. (Note: the fractional seconds applies only to those time formats that have the appropriate precision available. The Windows internal filetime has, for example, 100 nsec unit precision available. The DOS time format and the UNIX 'time_t' format, however, have no fractional seconds). Some of the times represented by this tool may use a time format without fractional seconds and therefore will not show a greater precision beyond seconds when using this option.
-pf_path	Output the prefetch file source path as part of the CSV output. This is useful for traceability when processing multiple prefetch files in an offline mode from multiple directories.
-pair_datetime	Output the date/time as 1 field vice 2 for csv option
-utf8_bom	All output is in Unicode UTF-8 format. If desired, one can prefix an UTF-8 byte order mark to the output using this option.

Field	Definition
prefetch file name	This is the filename of the record. If the prefetch file was copied and renamed somewhere else for analysis, this will be that name
app name	Filename without path
times ran	Number of times ran according to embedded data
last run	Date prefetch entry was last updated
time-UTC (after last run)	Time prefetch entry was last updated
mdate	Prefetch file modify date (based on filesystem timestamps)
time-UTC (after mdate)	Target prefetch file modify time (based on filesystem timestamps)
adate	Target prefetch file access date (based on filesystem timestamps)
time-UTC (after adate)	Target prefetch file access time (based on filesystem timestamps)
cdate	Target prefetch file create date (based on filesystem timestamps)
time-UTC (after cdate)	Target prefetch file create time. (based on filesystem timestamps). Note: for non Windows builds (eg Linux and Mac OS-X), this date is the metadata change date of the file.
path/appname	Embedded path/file of the entry for this prefetch record
previous dates run	Only present in new OS's.

When using a spreadsheet application (such as Microsoft Excel) to view the output of CSV type results, sometimes the cell data will wrap. This is because a cell in the spreadsheet has a maximum number of characters it can handle. Typically, this is 1024 characters for the newer spreadsheet applications. Therefore, when parsing very large prefetch files, the number of modules loaded by an application can be large, and consequently, will have an output of greater than 1024 characters for a module list. When this happens the data will be rendered on multiple cells/lines.

(Windows only) When processing filenames with characters that are not ASCII, one option is to change the code page of the command window from the default code page to UTF-8. This can be done via the command:

    chcp 65001

If running on a Windows operating system post XP and running under admin permissions, any network shares established prior as a regular (non-admin) user, will be isolated from other accounts (including the admin account). This problem occurs because User Account Control (UAC) treats members of the Administrators group as standard users. Therefore, network shares that are mapped by logon scripts are shared with the standard user access token instead of with the full administrator access token.

For Linux and Mac builds, the file cdate & time reported in the output is the date and time of the metadata change of the file (not the creation time of the file). This behavior is different in Windows, where the file cdate & time reported in the output is the date and time of the creation of the file.

This tool has authentication built into the binary. The primary authentication mechanism is the digital X509 code signing certificate embedded into the binary (Windows and macOS).

The other mechanism is the runtime authentication, which applies to all the versions of the tools (Windows, Linux and macOS). The runtime authentication ensures that the tool has a valid license. The license needs to be in the same directory of the tool for it to authenticate. Furthermore, any modification to the license, either to its name or contents, will invalidate the license.

Limited versus Demo versus Full in the tool's output banner

The tools from TZWorks will output header information about the tool's version and whether it is running in limited, demo or full mode. This is directly related to what version of a license the tool authenticates with. The limited and demo keywords indicates some functionality of the tool is not available, and the full keyword indicates all the functionality is available. The lacking functionality in the limited or demo versions may mean one or all of the following: (a) certain options may not be available, (b) certain data may not be outputted in the parsed results, and (c) the license has a finite lifetime before expiring.

• 04/16/2025 - v1.40 - updated time library (affects all tools)
• 04/17/2024 - v1.39 - core c/c++ lib changes
• 04/03/2023 - v1.38 - updated code-base to natively run Windows ARM64 processor in addition to Intel 32 or 64 bit
• 10/18/2022 - v1.37 - c-runtime library updates affecting Windows legacy builds
• 08/26/2022 - v1.36 - updated core libs during various bug fixes
• 05/12/2022 - v1.35 - updated build for new compiler. various changes to core libs
• 12/07/2021 - v1.34 - updated core libs during various bug fixes
• 08/05/2021 - v1.33 - updated core libs for Linux and OSX updates
• 03/01/2021 - v1.32 - updated build for MacOS, fixed bugs in shared libraries
• 11/09/2020 - v1.31 - updated core libs
• 09/09/2020 - v1.30 - updated the binary self check algorithm
• 05/01/2020 - v1.29 - updated the return result (0 = success, -1 = failure) for the different options
• 09/07/2019 - v1.28 - fix boundary condition for corrupted prefetch files.
• 07/03/2019 - v1.27 - added experimental -enumdir option to mimic -pipe option without using stdin
• 04/13/2019 - v1.26 - handled new prefetch structure in Win10 ver:1903
• 01/04/2019 - v1.25 - updated routines in ntfs library that affect this tool
• 10/17/2018 - v1.24 - updated routines in string library that affect this tool
• 07/28/2018 - v1.23 - library updates across all tools
• 04/11/2018 - v1.22 - library updates across all tools
• 02/11/2018 - v1.21 - bug fixes in shared libraries that affects this tool
• 12/05/2017 - v1.20 - Fixed Win10 issue with progress status display when redirecting output
• 08/22/2017 - v1.19 - updated with new digital cert and bug fixes to common libraries
• 02/20/2017 - v1.18 - updated various common libraries with bug fixes
• 05/18/2016 - v1.17 - new build with updated libraries
• 03/24/2016 - v1.16 - fix boundary condition bug when parsing carved pf files
• 03/12/2016 - v1.15 - handle corrupted pf files better. added -pipe filtering, via the -filter option. added -verbose option which allows for module listing in the output.
• 02/03/2016 - v1.14 - Fixed bug in parsing Win10 pretch files with multiple volumes
• 01/28/2016 - v1.13 - Added parsing for Win10 prefetch files. The capability for Win10 prefetch files should be considered experimental, since it requires decompression of the prefetch file prior to parsing.
• 11/20/2015 - v1.12 - option -csv_separator now allows for tab separator.
• 09/09/2015 - v1.11 - updated icon and libs
• 07/09/2015 - v1.10 - modified some output formatting for CSV when handling fields with CRLF or other characters affecting separator alignment
• 06/06/2015 - v1.09 - fixed bug when reading an empty pf file. added -pair_datetime option for csv formats
• 03/27/2015 - v1.08 - added back the -v switch for verbose option. This is the default option even without specifying this option.
• 03/09/2015 - v1.07 - time library update to fix DST issue on Windows
• 01/09/2015 - v1.06 - shared library updates and associated bug fixes
• 08/01/2014 - v1.05 - added -vss option to handle Volume Shadow Copies
• 04/05/2014 - v1.04 - added -csvl2t, -bodyfile, and -hostname options per user requests. also added detection of corrupted prefetch files during parse.
• 01/16/2014 - v1.03 - fixed bug in creation timestamp. added option to include prefetch file path to csv output.
• 11/18/2013 - v1.02 - tweaked authentication options for demo license.
• 10/09/2013 - v1.01 - added Win8 prefetch file parsing. modified the CSV output format.
• 08/21/2013 - v1.00 - Added new formatting options, and added full path of the target file in output.
• 07/05/2013 - v0.99 - Updated the authentication routine.
• 11/03/2012 - v0.98 - maintenance update of core libraries w/ bug fixes
• 10/30/2012 - v0.97 - fixed bug w/ NTFS parser inadvertently added in previous version
• 09/29/2012 - v0.96 - added hash check to ensure binary integrity. Changed the stdin syntax to now use the -pipe switch.
• 05/08/2012 - v0.95 - added -csv option
• 04/05/2012 - v0.94 - added license authentication.
• 03/17/2012 - v0.93 - maintenance update
• 05/30/2011 - v0.92 - added 32 and 64 bit versions to the mix.
• 05/22/2011 - v0.91 - maintenance update
• 02/26/2011 - v0.9a - maintenance update
• 11/23/2010 - v0.9 - updated pipe error checking
• 10/18/2010 - v0.8 - fixed date to display seconds on filetime
• 08/10/2010 - v0.7 - added port to MAC OS-X 10.6, 64 bit
• 03/26/2009 - v0.6 - added some diagnostic checks
• 03/06/2009 - v0.5e - updated code to compile on linux
• 08/30/2009 - v0.5b - updated some supporting library code
• 05/23/2009 - v0.5 (beta) - 1st prototype released for testing purposes

1. Windows Forensic Analysis, by Harlan Carvey, Syngress 2007
2. MSDN, "Windows XP: Kernel Improvements Create a More Robust, Powerful, and Scalable OS", discussion on prefetch, by Mark Russinovich and David Solomon
3. Wikipedia, the free encyclopedia. Prefetch topic.
4. Pre-fetching of pages prior to a hard page fault sequence, US patent 6,633,968, dtd 10/14/03, by Zwiegincew, et al.
5. [MS-XCA]- v20151016 Xpress Compression Algorithm, Microsoft Corporation