`prefetch`¶

$ target-query <path/to/target> -f prefetch

Details¶
Module	`dissect.target.plugins.os.windows.prefetch.PrefetchPlugin`
Output	`records`

Module documentation

Windows prefetch plugin.

Function documentation

Return the content of all prefetch files.

Prefetch is a memory management feature in Windows. It contains information (for example run count and timestamp) about executable applications that have been executed recently or are frequently executed.

References:

https://www.geeksforgeeks.org/prefetch-files-in-windows/

Yields PrefetchRecords with fields:

hostname (string): The target hostname.
domain (string): The target domain.
ts (datetime): Run timestamp.
filename (path): The filename.
prefetch (path): The prefetch entry.
linkedfile (path): The linked file entry.
runcount (int): The run count.

with --grouped:

Yields PrefetchRecords with fields:

hostname (string): The target hostname.
domain (string): The target domain.
ts (datetime): Run timestamp.
filename (path): The filename.
prefetch (path): The prefetch entry.
linkedfiles (path[]): A list of linked files
runcount (int): The run count.
previousruns (datetime[]): Previous run non zero timestamps

prefetch¶

`prefetch`¶