Explanation:
Reference: http://what-when-how.com/windows-forensic-analysis/file-analysis-windows-forensic-analysis-part-5/
For boot prefetching, the Cache Manager monitors hard page faults (require that data be read from disk) and soft page faults (require that data in memory be added to a process’s working set) during whichever occurs first—the first two minutes of the boot process, the first minute after all Windows services have started, or the first 30 seconds following the start of the user’s shell. The fault data is processed along with references to files and directories that are accessed, which ultimately allows all of this data to be accessed from a single file rather than requiring that the data be retrieved from different files and directories scattered across the hard drive. This, in turn, decreases the amount of time required to boot the system.
During application prefetching, the Cache Manager monitors the first 10 seconds after a process is started. Once this data is processed, it is written to a .pf file in the Windows∖ Prefetch directory. This file’s name is created using the application’s name followed by a dash and then by a hexadecimal representation of the hash of the path to the application. Therefore, the same program run from different locations will create different .pf files. For example, on a Windows XP system, two different .pf files will be created when Notepad is run from the C:∖Windows directory and from the C:∖Windows∖system32 directory. (For some reason, Windows XP has a copy of Notepad in each directory.)
|
|
Deepti on 30/05/2025