Parsing prefetch files

Prefetch files stored at C:\Windows\Prefetch can be analyzed to show which programs have been run on a Windows computer. Eric Zimmerman's opensource forensic tools include Prefetch Parser, available for download here.

Open command prompt in admin mode and change the directory to the one in which you've unzipped the executable file, 'PECmd.exe'. Run a line of code like this:

PECmd.exe -d C:\Windows\Prefetch --csv c:\temp

This points to the path where Windows 10 contains prefetch files, and then directs the creation of .csv files in a new directory. In a test of the tool tonight it generated two .csv files One file contains detailed information on each application run on the PC - how many times each has been run, and when the last time each was run.

A second file provides a simpler timeline:

Contact Me With Your Litigation Support Questions:

  • Twitter Long Shadow

© 2015 by Sean O'Shea . Proudly created with