The argument about /prefetch:X, or … the other way around

July 6, 2013 in Forensic Analysis

My older posts about the algorithm used by Prefetch files mentioned the /prefetch:X command line argument, but I never got a chance to explain this in detail. Today I accidentally came across an old post on MSDN that goes to a great extent explaining this bit. As per the blog:

The /prefetch:# flag is looked at by the OS when we create the process — however, it has one (and only one) purpose.  We add the passed number to the hash.  Why?  WMP is a multipurpose application and may do many different things.  The DLLs and code that it touches will be very different when playing a WMV than when playing a DVD, or when ripping a CD, or when listening to a Shoutcast stream, or any of the other things that WMP can do.  If we only had one hash for WMP, then the prefetch would only be correct for one such use.  Having incorrect prefetch data would not be a fatal error — it’d just load pages into memory that’d never get used, and then get swapped back out to disk as soon as possible.  Still, it’s counterproductive.  By specifying a /prefetch:# flag with a different number for each “mode” that WMP can do, each mode gets its own separate hash file, and thus we properly prefetch.  (This behavior isn’t specific to WMP — it does the same for any app.)

Isn’t that great when we don’t need to reinvent the wheel? 🙂

Still, at the bottom of the article it says:

(ATTENTION: This is merely an informative article; this information is completely unsupported, and the functionality may change or disappear entirely in future versions of Windows or service packs.  Furthermore, it is merely a hint for the XP prefetcher, and it may choose to ignore it if it wishes.)

Oh well.. most of the forensic analysis is based on the ‘undocumented’ ‘unsupported’ and guesswork anyway, so it kinda fits in perfectly 🙂

Comments are closed.