0

I am in an attempt of listing some details from the Windows Prefetch file such Filename, FileCreatedTime, FileModifiedTime,File Size, Process Name, Process Path,Run Counter & Last Run time. Though there are many tools like Nirsoft WinPrefetchViewer and couple of more available. I thought of creating one internally for my organization. And coming to the point out of these many details I have cracked or extracted them except the Process full path (For Eg. C:\Program Files (x86)\Mozilla Firefox\Firefox.exe in case Firefox executable). To give more details I have converted the .pf file into a hexdecimal format for extarcting the offset addresses of the field and converted them to decimal or Asci accordingly. And spending considerable amount of time in exploring I was not able to find the offset address of the Full process path in the prefetch file. It will be great if someone through light in this regard.

ramp
  • 185
  • 7
  • *"I have converted the .pf file into a hexdecimal format"* - That doesn't make much sense. The numeral system you use is concerned with **displaying** data only. It's just a different representation of the same data. There is no conversion. Unless you meant to write, that you converted the binary data to a string representation, using a base 16 numeral system. – IInspectable Oct 04 '16 at 07:43
  • There are couple of reason behind the creation of hexdump for the .pf file. First one being from most of the online resources such as Yogesh Kahtri and some others I could see them demonstrating what I was looking for by getting the hex values and later extrating the File Creation time,Modified, File size, Run counter & last run time by converting hex values to ACSII accordingly. Second one being when I was doing this manually I was using hex editor to get the hex values along with the offset addresses of the .pf file. – ramp Oct 05 '16 at 05:49
  • So these things made me thing in this way. And I was able to get all the values or data which I was intended to except the full process path. And after quite some amount of exploration I was not successful for this value. Please suggest me if some other approaches are available. – ramp Oct 05 '16 at 05:49

0 Answers0