Skip to content
Reverse Engineering
Anti-Forensicbeginner

Prefetch & Artifact Deletion

Attackers delete Prefetch files, Recent items, and Jump Lists to hide which programs ran, but execution evidence survives in many parallel artifacts.

Windows records program execution in several places an attacker would rather not leave behind. The richest is Prefetch (C:\Windows\Prefetch\*.pf), which names each executable run, counts how many times, records the last eight run times, and lists files the program touched. Alongside it sit Recent items (%AppData%\Microsoft\Windows\Recent), Jump Lists (...\Recent\AutomaticDestinations), and RecentDocs registry keys.

A common cleanup step deletes these so an analyst cannot prove a tool was executed. The flaw in the plan is that execution evidence in Windows is heavily redundant — deleting Prefetch removes one witness while a dozen others remain, and the deletion itself is recorded in filesystem journals.

How it works

Cleanup is usually a short batch of deletions, sometimes baked into a loader's self-destruct routine:

cmd
:: Wipe execution and recent-file artifacts
del /q /f C:\Windows\Prefetch\*.pf
del /q /f "%AppData%\Microsoft\Windows\Recent\*"
del /q /f "%AppData%\Microsoft\Windows\Recent\AutomaticDestinations\*"

Some actors instead disable Prefetch entirely by setting EnablePrefetcher to 0 under HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters, which prevents future .pf files from being created at all — itself a detectable configuration change.

Detection & analysis

Static analysis:

  • The deletion of a .pf file is recorded in the $UsnJrnl:$J (USN journal) as a FILE_DELETE event that still contains the executable's name — so even a wiped Prefetch directory yields the list of programs that once had .pf entries. Tools: PECmd (Eric Zimmerman) for surviving files, MFTECmd/USN parsers for deleted ones.
  • Carve unallocated space and the $MFT for .pf records (signature MAM\x04 for compressed Win10+ Prefetch, or SCCA magic when decompressed) — deleted Prefetch frequently survives until overwritten.
  • A missing Prefetch directory or EnablePrefetcher=0 is itself an indicator of tampering on a workstation where Prefetch is normally enabled.

Dynamic analysis:

  • Corroborate execution from parallel artifacts that deletion of Prefetch does not touch: Amcache (Amcache.hve), ShimCache (AppCompatCache), SRUM (SRUDB.dat), UserAssist, and Sysmon Event ID 1 / Security 4688 process-creation logs.
  • Restore Prefetch and Recent folders from Volume Shadow Copies predating the wipe; VSS commonly retains a full set of .pf files.

Detection rule hint: Alert when multiple .pf files are deleted in a short interval (visible as a burst of USN FILE_DELETE events under \Windows\Prefetch), or when EnablePrefetcher transitions to 0. Recovery path: enumerate deleted .pf names from the USN journal and cross-reference Amcache/ShimCache/SRUM to rebuild the execution timeline.

Votes

Comments(0)