{"id":1977,"date":"2013-07-06T00:37:08","date_gmt":"2013-07-06T00:37:08","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1977"},"modified":"2013-07-06T00:37:08","modified_gmt":"2013-07-06T00:37:08","slug":"the-argument-about-prefetchx-or-the-other-way-around","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2013\/07\/06\/the-argument-about-prefetchx-or-the-other-way-around\/","title":{"rendered":"The argument about \/prefetch:X, or … the other way around"},"content":{"rendered":"

My older<\/a> posts <\/a>about the algorithm used by Prefetch files mentioned the \/prefetch:X command line argument, but I never got a chance to explain this in detail. Today I accidentally came across an old post on MSDN<\/a> that goes to a great extent explaining this bit. As per the blog:<\/p>\n

The \/prefetch:# flag is looked at by the OS when we create the process — however, it has one (and only one) purpose.\u00a0 We add the passed number to the hash.\u00a0 Why?\u00a0 WMP is a multipurpose application and may do many different things.\u00a0 The DLLs and code that it touches will be very different when playing a WMV than when playing a DVD, or when ripping a CD, or when listening to a Shoutcast stream, or any of the other things that WMP can do.\u00a0 If we only had one hash for WMP, then the prefetch would only be correct for one such use.\u00a0 Having incorrect prefetch data would not be a fatal error — it’d just load pages into memory that’d never get used, and then get swapped back out to disk as soon as possible.\u00a0 Still, it’s counterproductive.\u00a0 By specifying a \/prefetch:# flag with a different number for each “mode” that WMP can do, each mode gets its own separate hash file, and thus we properly prefetch.\u00a0 (This behavior isn’t specific to WMP — it does the same for any app.)<\/p>\n

Isn’t that great when we don’t need to reinvent the wheel? \ud83d\ude42<\/p>\n

Still, at the bottom of the article it says:<\/p>\n

(ATTENTION: This is merely an informative article; this information is completely unsupported, and the functionality may change or disappear entirely in future versions of Windows or service packs.\u00a0 Furthermore, it is merely a hint for the XP prefetcher, and it may choose to ignore it if it wishes.)<\/p>\n

Oh well.. most of the forensic analysis is based on the ‘undocumented’ ‘unsupported’ and guesswork anyway, so it kinda fits in perfectly \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"

My older posts about the algorithm used by Prefetch files mentioned the \/prefetch:X command line argument, but I never got a chance to explain this in detail. Today I accidentally came across an old post on MSDN that goes to … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[19],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1977"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1977"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1977\/revisions"}],"predecessor-version":[{"id":1985,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1977\/revisions\/1985"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}