├── .gitattributes
├── .github
└── workflows
│ └── publish.yml
├── .gitignore
├── .idea
└── .idea.Prefetch
│ └── .idea
│ ├── .gitignore
│ ├── encodings.xml
│ ├── indexLayout.xml
│ └── vcs.xml
├── Prefetch.Test
├── Prefetch.Test.csproj
├── TestFiles
│ ├── Bad
│ │ └── notAPrefetch.pf
│ ├── Vista
│ │ ├── CMD.EXE-89305D47.pf
│ │ ├── DLLHOST.EXE-893DDF55.pf
│ │ ├── EXPLORER.EXE-7A3328DA.pf
│ │ └── NOTEPAD.EXE-EB1B961A.pf
│ ├── Win10
│ │ ├── CALC.EXE-3FBEF7FD.pf
│ │ ├── CALCULATOR.EXE-6940BD5C.pf
│ │ ├── CHROME.EXE-B3BA7868.pf
│ │ ├── CMD.EXE-D269B812.pf
│ │ ├── DCODEDCODEDCODEDCODEDCODEDCOD-E65B9FE8.pf
│ │ └── DEVENV.EXE-854D7862.pf
│ ├── Win2012
│ │ ├── CALC.EXE-77FDF17F.pf
│ │ ├── CMD.EXE-4A81B364.pf
│ │ ├── MSCORSVW.EXE-57D17DAF.pf
│ │ ├── NOTEPAD.EXE-D8414F97.pf
│ │ └── REGEDIT.EXE-90FEEA06.pf
│ ├── Win2012R2
│ │ ├── CALC.EXE-77FDF17F.pf
│ │ ├── CMD.EXE-4A81B364.pf
│ │ ├── CONHOST.EXE-1F3E9D7E.pf
│ │ ├── DLLHOST.EXE-5E46FA0D.pf
│ │ ├── LOGONUI.EXE-09140401.pf
│ │ └── NOTEPAD.EXE-D8414F97.pf
│ ├── Win2k3
│ │ ├── CALC.EXE-02CD573A.pf
│ │ ├── CMD.EXE-087B4001.pf
│ │ ├── EXPLORER.EXE-082F38A9.pf
│ │ ├── MMC.EXE-0721152E.pf
│ │ └── NOTEPAD.EXE-336351A9.pf
│ ├── Win7
│ │ ├── CALC.EXE-77FDF17F.pf
│ │ ├── CMD.EXE-4A81B364.pf
│ │ ├── DCODEDCODEDCODEDCODEDCODEDCOD-9054DA3F.pf
│ │ ├── DCODEDCODEDCODEDCODEDCODEDCOD-94896A93.pf
│ │ ├── DRVINST.EXE-5F8E77CD.pf
│ │ ├── EXPLORER.EXE-A80E4F97.pf
│ │ ├── NOTEPAD.EXE-D8414F97.pf
│ │ ├── PING.EXE-B29F6629.pf
│ │ └── WUAUCLT.EXE-830BCC14.pf
│ ├── Win8x
│ │ ├── CALC.EXE-77FDF17F.pf
│ │ ├── CMD.EXE-4A81B364.pf
│ │ ├── CONSENT.EXE-531BD9EA.pf
│ │ ├── LIVECOMM.EXE-A134F539.pf
│ │ ├── LIVECOMM.EXE-D546E475.pf
│ │ ├── NOTEPAD.EXE-D8414F97.pf
│ │ ├── POQEXEC.EXE-69592829.pf
│ │ ├── TASKHOST.EXE-3AE259FC.pf
│ │ ├── WWAHOST.EXE-00A972CA.pf
│ │ ├── _CALC.EXE-77FDF17F.pf
│ │ ├── _CMD.EXE-4A81B364.pf
│ │ └── _NOTEPAD.EXE-D8414F97.pf
│ └── XPPro
│ │ ├── CALC.EXE-02CD573A.pf
│ │ ├── CMD.EXE-087B4001.pf
│ │ ├── EXPLORER.EXE-082F38A9.pf
│ │ ├── MSIMN.EXE-38BA891D.pf
│ │ ├── MSMSGS.EXE-2B6052DE.pf
│ │ ├── NOTEPAD.EXE-336351A9.pf
│ │ └── VERCLSID.EXE-3667BD89.pf
├── TestPrefetchMain.cs
├── TestVersion17.cs
├── TestVersion23.cs
├── TestVersion26.cs
└── TestVersion30.cs
├── Prefetch.sln
├── Prefetch
├── IPrefetch.cs
├── Other
│ ├── FileMetric.cs
│ ├── Header.cs
│ ├── MFTInformation.cs
│ ├── TraceChain.cs
│ └── VolumeInfo.cs
├── Prefetch.csproj
├── PrefetchFile.cs
├── Versions
│ ├── Version17.cs
│ ├── Version23.cs
│ ├── Version26.cs
│ └── Version30or31.cs
└── XpressStream
│ └── Xpress2.cs
├── README.md
├── icon.png
└── license
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/.github/workflows/publish.yml:
--------------------------------------------------------------------------------
1 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
2 |
3 | name: publish
4 | on:
5 | workflow_dispatch: # Allow running the workflow manually from the GitHub UI
6 | push:
7 | branches:
8 | - 'master' # Run the workflow when pushing to the main branch
9 | pull_request:
10 | branches:
11 | - '*' # Run the workflow for all pull requests
12 | release:
13 | types:
14 | - published # Run the workflow when a new GitHub release is published
15 |
16 | env:
17 | DOTNET_SKIP_FIRST_TIME_EXPERIENCE: 1
18 | DOTNET_NOLOGO: true
19 | NuGetDirectory: ${{ github.workspace}}/nuget
20 |
21 | defaults:
22 | run:
23 | shell: pwsh
24 |
25 | jobs:
26 | create_nuget:
27 | runs-on: ubuntu-latest
28 | steps:
29 | - uses: actions/checkout@v4
30 | with:
31 | fetch-depth: 0 # Get all history to allow automatic versioning using MinVer
32 |
33 | # Install the .NET SDK indicated in the global.json file
34 | - name: Setup .NET
35 | uses: actions/setup-dotnet@v4
36 |
37 | # Create the NuGet package in the folder from the environment variable NuGetDirectory
38 | - run: dotnet pack --configuration Release --output ${{ env.NuGetDirectory }}
39 |
40 | # Publish the NuGet package as an artifact, so they can be used in the following jobs
41 | - uses: actions/upload-artifact@v4
42 | with:
43 | name: nuget
44 | if-no-files-found: error
45 | retention-days: 7
46 | path: ${{ env.NuGetDirectory }}/*.nupkg
47 |
48 | validate_nuget:
49 | runs-on: ubuntu-latest
50 | needs: [ create_nuget ]
51 | steps:
52 | # Install the .NET SDK indicated in the global.json file
53 | - name: Setup .NET
54 | uses: actions/setup-dotnet@v4
55 |
56 | # Download the NuGet package created in the previous job
57 | - uses: actions/download-artifact@v4
58 | with:
59 | name: nuget
60 | path: ${{ env.NuGetDirectory }}
61 |
62 | - name: Install nuget validator
63 | run: dotnet tool update Meziantou.Framework.NuGetPackageValidation.Tool --global
64 |
65 | # Validate metadata and content of the NuGet package
66 | # https://www.nuget.org/packages/Meziantou.Framework.NuGetPackageValidation.Tool#readme-body-tab
67 | # If some rules are not applicable, you can disable them
68 | # using the --excluded-rules or --excluded-rule-ids option
69 | - name: Validate package
70 | run: meziantou.validate-nuget-package (Get-ChildItem "${{ env.NuGetDirectory }}/*.nupkg")
71 |
72 | # run_test:
73 | # runs-on: ubuntu-latest
74 | # steps:
75 | # - uses: actions/checkout@v4
76 | # - name: Setup .NET
77 | # uses: actions/setup-dotnet@v4
78 | # - name: Run tests
79 | # run: dotnet test --configuration Release
80 |
81 | deploy:
82 | # Publish only when creating a GitHub Release
83 | # https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository
84 | # You can update this logic if you want to manage releases differently
85 | if: github.event_name == 'release'
86 | runs-on: ubuntu-latest
87 | #needs: [ validate_nuget, run_test ]
88 | needs: [ validate_nuget ]
89 | steps:
90 | # Download the NuGet package created in the previous job
91 | - uses: actions/download-artifact@v4
92 | with:
93 | name: nuget
94 | path: ${{ env.NuGetDirectory }}
95 |
96 | # Install the .NET SDK indicated in the global.json file
97 | - name: Setup .NET Core
98 | uses: actions/setup-dotnet@v4
99 |
100 | # Publish all NuGet packages to NuGet.org
101 | # Use --skip-duplicate to prevent errors if a package with the same version already exists.
102 | # If you retry a failed workflow, already published packages will be skipped without error.
103 | - name: Publish NuGet package
104 | run: |
105 | foreach($file in (Get-ChildItem "${{ env.NuGetDirectory }}" -Recurse -Include *.nupkg)) {
106 | dotnet nuget push $file --api-key "${{ secrets.NUGET_APIKEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate
107 | }
108 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 |
4 | .idea/
5 |
6 | # User-specific files
7 | *.suo
8 | *.user
9 | *.userosscache
10 | *.sln.docstates
11 |
12 | # User-specific files (MonoDevelop/Xamarin Studio)
13 | *.userprefs
14 |
15 | # Build results
16 | [Dd]ebug/
17 | [Dd]ebugPublic/
18 | [Rr]elease/
19 | [Rr]eleases/
20 | x64/
21 | x86/
22 | build/
23 | bld/
24 | [Bb]in/
25 | [Oo]bj/
26 |
27 | # Visual Studio 2015 cache/options directory
28 | .vs/
29 |
30 | # MSTest test Results
31 | [Tt]est[Rr]esult*/
32 | [Bb]uild[Ll]og.*
33 |
34 | # NUNIT
35 | *.VisualState.xml
36 | TestResult.xml
37 |
38 | # Build Results of an ATL Project
39 | [Dd]ebugPS/
40 | [Rr]eleasePS/
41 | dlldata.c
42 |
43 | # DNX
44 | project.lock.json
45 | artifacts/
46 |
47 | *_i.c
48 | *_p.c
49 | *_i.h
50 | *.ilk
51 | *.meta
52 | *.obj
53 | *.pch
54 | *.pdb
55 | *.pgc
56 | *.pgd
57 | *.rsp
58 | *.sbr
59 | *.tlb
60 | *.tli
61 | *.tlh
62 | *.tmp
63 | *.tmp_proj
64 | *.log
65 | *.vspscc
66 | *.vssscc
67 | .builds
68 | *.pidb
69 | *.svclog
70 | *.scc
71 |
72 | # Chutzpah Test files
73 | _Chutzpah*
74 |
75 | # Visual C++ cache files
76 | ipch/
77 | *.aps
78 | *.ncb
79 | *.opensdf
80 | *.sdf
81 | *.cachefile
82 |
83 | # Visual Studio profiler
84 | *.psess
85 | *.vsp
86 | *.vspx
87 |
88 | # TFS 2012 Local Workspace
89 | $tf/
90 |
91 | # Guidance Automation Toolkit
92 | *.gpState
93 |
94 | # ReSharper is a .NET coding add-in
95 | _ReSharper*/
96 | *.[Rr]e[Ss]harper
97 | *.DotSettings.user
98 |
99 | # JustCode is a .NET coding add-in
100 | .JustCode
101 |
102 | # TeamCity is a build add-in
103 | _TeamCity*
104 |
105 | # DotCover is a Code Coverage Tool
106 | *.dotCover
107 |
108 | # NCrunch
109 | _NCrunch_*
110 | .*crunch*.local.xml
111 |
112 | # MightyMoose
113 | *.mm.*
114 | AutoTest.Net/
115 |
116 | # Web workbench (sass)
117 | .sass-cache/
118 |
119 | # Installshield output folder
120 | [Ee]xpress/
121 |
122 | # DocProject is a documentation generator add-in
123 | DocProject/buildhelp/
124 | DocProject/Help/*.HxT
125 | DocProject/Help/*.HxC
126 | DocProject/Help/*.hhc
127 | DocProject/Help/*.hhk
128 | DocProject/Help/*.hhp
129 | DocProject/Help/Html2
130 | DocProject/Help/html
131 |
132 | # Click-Once directory
133 | publish/
134 |
135 | # Publish Web Output
136 | *.[Pp]ublish.xml
137 | *.azurePubxml
138 | ## TODO: Comment the next line if you want to checkin your
139 | ## web deploy settings but do note that will include unencrypted
140 | ## passwords
141 | #*.pubxml
142 |
143 | *.publishproj
144 |
145 | # NuGet Packages
146 | *.nupkg
147 | # The packages folder can be ignored because of Package Restore
148 | **/packages/*
149 | # except build/, which is used as an MSBuild target.
150 | !**/packages/build/
151 | # Uncomment if necessary however generally it will be regenerated when needed
152 | #!**/packages/repositories.config
153 |
154 | # Windows Azure Build Output
155 | csx/
156 | *.build.csdef
157 |
158 | # Windows Store app package directory
159 | AppPackages/
160 |
161 | # Visual Studio cache files
162 | # files ending in .cache can be ignored
163 | *.[Cc]ache
164 | # but keep track of directories ending in .cache
165 | !*.[Cc]ache/
166 |
167 | # Others
168 | ClientBin/
169 | [Ss]tyle[Cc]op.*
170 | ~$*
171 | *~
172 | *.dbmdl
173 | *.dbproj.schemaview
174 | *.pfx
175 | *.publishsettings
176 | node_modules/
177 | orleans.codegen.cs
178 |
179 | # RIA/Silverlight projects
180 | Generated_Code/
181 |
182 | # Backup & report files from converting an old project file
183 | # to a newer Visual Studio version. Backup files are not needed,
184 | # because we have git ;-)
185 | _UpgradeReport_Files/
186 | Backup*/
187 | UpgradeLog*.XML
188 | UpgradeLog*.htm
189 |
190 | # SQL Server files
191 | *.mdf
192 | *.ldf
193 |
194 | # Business Intelligence projects
195 | *.rdl.data
196 | *.bim.layout
197 | *.bim_*.settings
198 |
199 | # Microsoft Fakes
200 | FakesAssemblies/
201 |
202 | # Node.js Tools for Visual Studio
203 | .ntvs_analysis.dat
204 |
205 | # Visual Studio 6 build log
206 | *.plg
207 |
208 | # Visual Studio 6 workspace options file
209 | *.opt
210 |
211 | # LightSwitch generated files
212 | GeneratedArtifacts/
213 | _Pvt_Extensions/
214 | ModelManifest.xml
215 |
--------------------------------------------------------------------------------
/.idea/.idea.Prefetch/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # Default ignored files
2 | /shelf/
3 | /workspace.xml
4 | # Rider ignored files
5 | /projectSettingsUpdater.xml
6 | /modules.xml
7 | /.idea.Prefetch.iml
8 | /contentModel.xml
9 | # Editor-based HTTP Client requests
10 | /httpRequests/
11 | # Datasource local storage ignored files
12 | /dataSources/
13 | /dataSources.local.xml
14 |
--------------------------------------------------------------------------------
/.idea/.idea.Prefetch/.idea/encodings.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/.idea/.idea.Prefetch/.idea/indexLayout.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/.idea/.idea.Prefetch/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/Prefetch.Test/Prefetch.Test.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 | netstandard2.0;net6.0;net8.0
4 | 10
5 | false
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | 6.12.0
75 |
76 |
77 |
78 |
79 |
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Bad/notAPrefetch.pf:
--------------------------------------------------------------------------------
1 | ����SDCA�����
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Vista/CMD.EXE-89305D47.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Vista/CMD.EXE-89305D47.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Vista/DLLHOST.EXE-893DDF55.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Vista/DLLHOST.EXE-893DDF55.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Vista/EXPLORER.EXE-7A3328DA.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Vista/EXPLORER.EXE-7A3328DA.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Vista/NOTEPAD.EXE-EB1B961A.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Vista/NOTEPAD.EXE-EB1B961A.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win10/CALC.EXE-3FBEF7FD.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win10/CALC.EXE-3FBEF7FD.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win10/CALCULATOR.EXE-6940BD5C.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win10/CALCULATOR.EXE-6940BD5C.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win10/CHROME.EXE-B3BA7868.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win10/CHROME.EXE-B3BA7868.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win10/CMD.EXE-D269B812.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win10/CMD.EXE-D269B812.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win10/DCODEDCODEDCODEDCODEDCODEDCOD-E65B9FE8.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win10/DCODEDCODEDCODEDCODEDCODEDCOD-E65B9FE8.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win10/DEVENV.EXE-854D7862.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win10/DEVENV.EXE-854D7862.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win2012/CALC.EXE-77FDF17F.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win2012/CALC.EXE-77FDF17F.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win2012/CMD.EXE-4A81B364.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win2012/CMD.EXE-4A81B364.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win2012/MSCORSVW.EXE-57D17DAF.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win2012/MSCORSVW.EXE-57D17DAF.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win2012/NOTEPAD.EXE-D8414F97.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win2012/NOTEPAD.EXE-D8414F97.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win2012/REGEDIT.EXE-90FEEA06.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win2012/REGEDIT.EXE-90FEEA06.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win2012R2/CALC.EXE-77FDF17F.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win2012R2/CALC.EXE-77FDF17F.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win2012R2/CMD.EXE-4A81B364.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win2012R2/CMD.EXE-4A81B364.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win2012R2/CONHOST.EXE-1F3E9D7E.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win2012R2/CONHOST.EXE-1F3E9D7E.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win2012R2/DLLHOST.EXE-5E46FA0D.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win2012R2/DLLHOST.EXE-5E46FA0D.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win2012R2/LOGONUI.EXE-09140401.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win2012R2/LOGONUI.EXE-09140401.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win2012R2/NOTEPAD.EXE-D8414F97.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win2012R2/NOTEPAD.EXE-D8414F97.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win2k3/CALC.EXE-02CD573A.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win2k3/CALC.EXE-02CD573A.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win2k3/CMD.EXE-087B4001.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win2k3/CMD.EXE-087B4001.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win2k3/EXPLORER.EXE-082F38A9.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win2k3/EXPLORER.EXE-082F38A9.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win2k3/MMC.EXE-0721152E.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win2k3/MMC.EXE-0721152E.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win2k3/NOTEPAD.EXE-336351A9.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win2k3/NOTEPAD.EXE-336351A9.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win7/CALC.EXE-77FDF17F.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win7/CALC.EXE-77FDF17F.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win7/CMD.EXE-4A81B364.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win7/CMD.EXE-4A81B364.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win7/DCODEDCODEDCODEDCODEDCODEDCOD-9054DA3F.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win7/DCODEDCODEDCODEDCODEDCODEDCOD-9054DA3F.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win7/DCODEDCODEDCODEDCODEDCODEDCOD-94896A93.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win7/DCODEDCODEDCODEDCODEDCODEDCOD-94896A93.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win7/DRVINST.EXE-5F8E77CD.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win7/DRVINST.EXE-5F8E77CD.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win7/EXPLORER.EXE-A80E4F97.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win7/EXPLORER.EXE-A80E4F97.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win7/NOTEPAD.EXE-D8414F97.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win7/NOTEPAD.EXE-D8414F97.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win7/PING.EXE-B29F6629.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win7/PING.EXE-B29F6629.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win7/WUAUCLT.EXE-830BCC14.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win7/WUAUCLT.EXE-830BCC14.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win8x/CALC.EXE-77FDF17F.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win8x/CALC.EXE-77FDF17F.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win8x/CMD.EXE-4A81B364.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win8x/CMD.EXE-4A81B364.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win8x/CONSENT.EXE-531BD9EA.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win8x/CONSENT.EXE-531BD9EA.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win8x/LIVECOMM.EXE-A134F539.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win8x/LIVECOMM.EXE-A134F539.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win8x/LIVECOMM.EXE-D546E475.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win8x/LIVECOMM.EXE-D546E475.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win8x/NOTEPAD.EXE-D8414F97.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win8x/NOTEPAD.EXE-D8414F97.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win8x/POQEXEC.EXE-69592829.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win8x/POQEXEC.EXE-69592829.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win8x/TASKHOST.EXE-3AE259FC.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win8x/TASKHOST.EXE-3AE259FC.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win8x/WWAHOST.EXE-00A972CA.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win8x/WWAHOST.EXE-00A972CA.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win8x/_CALC.EXE-77FDF17F.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win8x/_CALC.EXE-77FDF17F.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win8x/_CMD.EXE-4A81B364.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win8x/_CMD.EXE-4A81B364.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/Win8x/_NOTEPAD.EXE-D8414F97.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/Win8x/_NOTEPAD.EXE-D8414F97.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/XPPro/CALC.EXE-02CD573A.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/XPPro/CALC.EXE-02CD573A.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/XPPro/CMD.EXE-087B4001.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/XPPro/CMD.EXE-087B4001.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/XPPro/EXPLORER.EXE-082F38A9.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/XPPro/EXPLORER.EXE-082F38A9.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/XPPro/MSIMN.EXE-38BA891D.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/XPPro/MSIMN.EXE-38BA891D.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/XPPro/MSMSGS.EXE-2B6052DE.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/XPPro/MSMSGS.EXE-2B6052DE.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/XPPro/NOTEPAD.EXE-336351A9.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/XPPro/NOTEPAD.EXE-336351A9.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestFiles/XPPro/VERCLSID.EXE-3667BD89.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/Prefetch.Test/TestFiles/XPPro/VERCLSID.EXE-3667BD89.pf
--------------------------------------------------------------------------------
/Prefetch.Test/TestPrefetchMain.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.IO;
4 | using FluentAssertions;
5 | using NUnit.Framework;
6 |
7 | namespace Prefetch.Test;
8 |
9 | [TestFixture]
10 | public class TestPrefetchMain
11 | {
12 | public static string BadPath = @"..\..\TestFiles\Bad";
13 | public static string Win7Path = @"..\..\TestFiles\Win7";
14 | public static string Win10Path = @"..\..\TestFiles\Win10";
15 | public static string WinXpPath = @"..\..\TestFiles\XPPro";
16 | public static string Win8xPath = @"..\..\TestFiles\Win8x";
17 | public static string Win2k3Path = @"..\..\TestFiles\Win2k3";
18 | public static string Win2012Path = @"..\..\TestFiles\Win2012";
19 | public static string WinVistaPath = @"..\..\TestFiles\Vista";
20 | public static string Win2012R2Path = @"..\..\TestFiles\Win2012R2";
21 |
22 | private readonly List _allPaths = new List
23 | {
24 | Win10Path,
25 | WinXpPath,
26 | WinVistaPath,
27 | Win7Path,
28 | Win8xPath,
29 | Win2k3Path,
30 | Win2012Path,
31 | Win2012R2Path
32 | };
33 |
34 |
35 | [Test]
36 | public void InvalidFileShouldThrowException()
37 | {
38 | var badFile = Path.Combine(BadPath, "notAPrefetch.pf");
39 | Action action = () => PrefetchFile.Open(badFile);
40 |
41 |
42 |
43 | action.Should().Throw().WithMessage("Invalid signature! Should be 'SCCA'");
44 | }
45 |
46 | [Test]
47 | public void OneOff()
48 | {
49 | var f = @"C:\Temp\500sru\POWERSHELL.EXE-767FB1AE.pf";
50 |
51 | var ms = new FileStream(f,FileMode.Open,FileAccess.Read);
52 |
53 | var pf = PrefetchFile.Open(ms,"foo");
54 |
55 |
56 | var aa = PrefetchFile.Open(f);
57 |
58 |
59 | pf.RunCount.Should().BeGreaterThan(0);
60 | pf.RunCount.Should().Be(3);
61 |
62 | // pf.Should().NotBe(null);
63 |
64 | }
65 |
66 | [Test]
67 | public void SignatureShouldBeSCCA()
68 | {
69 | foreach (var allPath in _allPaths)
70 | {
71 | foreach (var file in Directory.GetFiles(allPath, "*.pf"))
72 | {
73 | var pf = PrefetchFile.Open(file);
74 |
75 | pf.Should().NotBe(null);
76 |
77 | pf.Filenames.Count.Should().Be(pf.FileMetricsCount);
78 |
79 | pf.VolumeCount.Should().Be(pf.VolumeInformation.Count);
80 |
81 | pf.Header.Signature.Should().Be("SCCA");
82 | }
83 | }
84 | }
85 | }
--------------------------------------------------------------------------------
/Prefetch.Test/TestVersion17.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using FluentAssertions;
4 | using NUnit.Framework;
5 |
6 | namespace Prefetch.Test;
7 |
8 | [TestFixture]
9 | public class TestVersion17
10 | {
11 | [Test]
12 | public void Test2k3CmdPfProperties()
13 | {
14 | var file = Path.Combine(TestPrefetchMain.Win2k3Path, @"CMD.EXE-087B4001.pf");
15 | var pf = PrefetchFile.Open(file);
16 |
17 | pf.Header.ExecutableFilename.Should().Be("CMD.EXE");
18 | pf.Header.Hash.Should().Be("87B4001");
19 | pf.Header.FileSize.Should().Be(6002);
20 | pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-15T16: 01:40.8750000-07:00"));
21 | pf.RunCount.Should().Be(3);
22 |
23 | pf.VolumeCount.Should().Be(1);
24 | pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME1");
25 | pf.VolumeInformation[0].SerialNumber.Should().Be("64BB3469");
26 | pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-15T08:45:15.8906250-07:00"));
27 |
28 | pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(4);
29 | pf.VolumeInformation[0].DirectoryNames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\");
30 |
31 | pf.VolumeInformation[0].FileReferences.Count.Should().Be(20);
32 |
33 | pf.Filenames.Count.Should().Be(16);
34 | pf.Filenames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS");
35 |
36 | pf.VolumeInformation[0].FileReferences[5].MFTEntryNumber.Should().Be((ulong) 250);
37 | pf.VolumeInformation[0].FileReferences[5].MFTSequenceNumber.Should().Be(1);
38 | }
39 |
40 | [Test]
41 | public void TestXPCalcPfProperties()
42 | {
43 | var file = Path.Combine(TestPrefetchMain.WinXpPath, @"CALC.EXE-02CD573A.pf");
44 | var pf = PrefetchFile.Open(file);
45 |
46 | // PrefetchFile.DumpToJson(pf,true,@"D:\temp\out.json");
47 |
48 | pf.Header.ExecutableFilename.Should().Be("CALC.EXE");
49 | pf.Header.Hash.Should().Be("2CD573A");
50 | pf.Header.FileSize.Should().Be(11332);
51 | pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-13T15: 05:51.2812500-07:00"));
52 | pf.RunCount.Should().Be(3);
53 |
54 | pf.VolumeCount.Should().Be(1);
55 | pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME1");
56 | pf.VolumeInformation[0].SerialNumber.Should().Be("E0F7E847");
57 | pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-13T04:17:18.7187500-07:00"));
58 |
59 | pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(6);
60 | pf.VolumeInformation[0].DirectoryNames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\");
61 |
62 | pf.VolumeInformation[0].FileReferences.Count.Should().Be(36);
63 |
64 | pf.Filenames.Count.Should().Be(30);
65 | pf.Filenames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS");
66 |
67 | pf.VolumeInformation[0].FileReferences[34].MFTEntryNumber.Should().Be((ulong) 126);
68 | pf.VolumeInformation[0].FileReferences[34].MFTSequenceNumber.Should().Be(1);
69 | }
70 |
71 | [Test]
72 | public void Windows2k3ShouldHaveVersionNumber17()
73 | {
74 | foreach (var file in Directory.GetFiles(TestPrefetchMain.Win2k3Path, "*.pf"))
75 | {
76 | var pf = PrefetchFile.Open(file);
77 |
78 | pf.SourceFilename.Should().Be(file);
79 | pf.Header.Version.Should().Be(Version.WinXpOrWin2K3);
80 | }
81 | }
82 |
83 | [Test]
84 | public void WindowsXPShouldHaveVersionNumber17()
85 | {
86 | foreach (var file in Directory.GetFiles(TestPrefetchMain.WinXpPath, "*.pf"))
87 | {
88 | var pf = PrefetchFile.Open(file);
89 |
90 | pf.TotalDirectoryCount.Should().Be(-1);
91 |
92 | pf.SourceFilename.Should().Be(file);
93 | pf.Header.Version.Should().Be(Version.WinXpOrWin2K3);
94 | }
95 | }
96 | }
--------------------------------------------------------------------------------
/Prefetch.Test/TestVersion23.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using FluentAssertions;
4 | using NUnit.Framework;
5 |
6 | namespace Prefetch.Test;
7 |
8 | [TestFixture]
9 | public class TestVersion23
10 | {
11 | [Test]
12 | public void TestVistaExplorerPfProperties()
13 | {
14 | var file = Path.Combine(TestPrefetchMain.WinVistaPath, @"EXPLORER.EXE-7A3328DA.pf");
15 | var pf = PrefetchFile.Open(file);
16 |
17 | pf.Header.ExecutableFilename.Should().Be("EXPLORER.EXE");
18 | pf.Header.Hash.Should().Be("7A3328DA");
19 | pf.Header.FileSize.Should().Be(38470);
20 | pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-16T13: 02:00.8326765-07:00"));
21 | pf.RunCount.Should().Be(1);
22 |
23 | pf.VolumeCount.Should().Be(1);
24 | pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME1");
25 | pf.VolumeInformation[0].SerialNumber.Should().Be("E8EAB8B5");
26 | pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-16T13:53:13.1093750-07:00"));
27 |
28 | pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(13);
29 | pf.VolumeInformation[0].DirectoryNames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME1\USERS\PUBLIC");
30 |
31 | pf.VolumeInformation[0].FileReferences.Count.Should().Be(84);
32 |
33 | pf.Filenames.Count.Should().Be(66);
34 | pf.Filenames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\ADVAPI32.DLL");
35 |
36 | pf.VolumeInformation[0].FileReferences[1].MFTEntryNumber.Should().Be((ulong) 352);
37 | pf.VolumeInformation[0].FileReferences[1].MFTSequenceNumber.Should().Be(null);
38 | }
39 |
40 | [Test]
41 | public void TestWin7DCodePfProperties()
42 | {
43 | var file = Path.Combine(TestPrefetchMain.Win7Path, @"DCODEDCODEDCODEDCODEDCODEDCOD-9054DA3F.pf");
44 | var pf = PrefetchFile.Open(file);
45 |
46 | // PrefetchFile.DumpToJson(pf, true, @"D:\temp\win7DCODEDCODEDCODEDCODEDCODEDCOD.json");
47 |
48 | pf.Header.ExecutableFilename.Should().Be("DCODEDCODEDCODEDCODEDCODEDCOD");
49 | pf.Header.Hash.Should().Be("9054DA3F");
50 | pf.Header.FileSize.Should().Be(29746);
51 | pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-22T09: 23:16.3416250-07:00"));
52 | pf.RunCount.Should().Be(5);
53 |
54 | pf.VolumeCount.Should().Be(2);
55 | pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME2");
56 | pf.VolumeInformation[0].SerialNumber.Should().Be("88008C2F");
57 | pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-16T14:15:18.1093750-07:00"));
58 |
59 | pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(14);
60 | pf.VolumeInformation[0].DirectoryNames[3].Should()
61 | .Be(@"\DEVICE\HARDDISKVOLUME2\USERS\E\APPDATA\LOCAL");
62 |
63 | pf.VolumeInformation[0].FileReferences.Count.Should().Be(63);
64 |
65 | pf.VolumeInformation[1].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME3");
66 | pf.VolumeInformation[1].SerialNumber.Should().Be("E892367F");
67 | pf.VolumeInformation[1].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-22T09:11:36.5781250-07:00"));
68 |
69 | pf.VolumeInformation[1].DirectoryNames.Count.Should().Be(2);
70 | pf.VolumeInformation[1].DirectoryNames[1].Should()
71 | .Be(@"\DEVICE\HARDDISKVOLUME3\TEMP\222");
72 |
73 | pf.VolumeInformation[1].FileReferences.Count.Should().Be(3);
74 |
75 | pf.Filenames.Count.Should().Be(50);
76 | pf.Filenames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WOW64CPU.DLL");
77 |
78 | pf.VolumeInformation[1].FileReferences[1].MFTEntryNumber.Should().Be((ulong)37);
79 | pf.VolumeInformation[1].FileReferences[1].MFTSequenceNumber.Should().Be(1);
80 | }
81 |
82 | [Test]
83 | public void TestWin7CalcPfProperties()
84 | {
85 | var file = Path.Combine(TestPrefetchMain.Win7Path, @"CALC.EXE-77FDF17F.pf");
86 | var pf = PrefetchFile.Open(file);
87 |
88 | //PrefetchFile.DumpToJson(pf, true, @"D:\temp\win7calc.json");
89 |
90 | pf.Header.ExecutableFilename.Should().Be("CALC.EXE");
91 | pf.Header.Hash.Should().Be("77FDF17F");
92 | pf.Header.FileSize.Should().Be(23538);
93 | pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-16T13: 27:01.1967500-07:00"));
94 | pf.RunCount.Should().Be(2);
95 |
96 | pf.VolumeCount.Should().Be(1);
97 | pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME2");
98 | pf.VolumeInformation[0].SerialNumber.Should().Be("88008C2F");
99 | pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-16T14:15:18.1093750-07:00"));
100 |
101 | pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(8);
102 | pf.VolumeInformation[0].DirectoryNames[3].Should()
103 | .Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\GLOBALIZATION\SORTING");
104 |
105 | pf.VolumeInformation[0].FileReferences.Count.Should().Be(45);
106 |
107 | pf.Filenames.Count.Should().Be(37);
108 | pf.Filenames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNELBASE.DLL");
109 |
110 | pf.VolumeInformation[0].FileReferences[2].MFTEntryNumber.Should().Be((ulong) 25654);
111 | pf.VolumeInformation[0].FileReferences[2].MFTSequenceNumber.Should().Be(1);
112 | }
113 |
114 | [Test]
115 | public void Windows7ShouldHaveVersionNumber23()
116 | {
117 | foreach (var file in Directory.GetFiles(TestPrefetchMain.Win7Path, "*.pf"))
118 | {
119 | var pf = PrefetchFile.Open(file);
120 |
121 | pf.SourceFilename.Should().Be(file);
122 | pf.Header.Version.Should().Be(Version.VistaOrWin7);
123 | }
124 | }
125 |
126 | [Test]
127 | public void WindowsVistaShouldHaveVersionNumber23()
128 | {
129 | foreach (var file in Directory.GetFiles(TestPrefetchMain.WinVistaPath, "*.pf"))
130 | {
131 | var pf = PrefetchFile.Open(file);
132 |
133 | var totalDirs = 0;
134 | foreach (var volumeInfo in pf.VolumeInformation)
135 | {
136 | totalDirs += volumeInfo.DirectoryNames.Count;
137 | }
138 |
139 | pf.TotalDirectoryCount.Should().Be(totalDirs);
140 |
141 | pf.SourceFilename.Should().Be(file);
142 | pf.Header.Version.Should().Be(Version.VistaOrWin7);
143 | }
144 | }
145 | }
--------------------------------------------------------------------------------
/Prefetch.Test/TestVersion26.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using FluentAssertions;
4 | using NUnit.Framework;
5 |
6 | namespace Prefetch.Test;
7 |
8 | [TestFixture]
9 | public class TestVersion26
10 | {
11 | [Test]
12 | public void TestWin2012R2RegEditPfProperties()
13 | {
14 | var file = Path.Combine(TestPrefetchMain.Win2012R2Path, @"NOTEPAD.EXE-D8414F97.pf");
15 | var pf = PrefetchFile.Open(file);
16 |
17 | // PrefetchFile.DumpToJson(pf, true, @"D:\temp\out.json");
18 |
19 | pf.Header.ExecutableFilename.Should().Be("NOTEPAD.EXE");
20 | pf.Header.Hash.Should().Be("D8414F97");
21 | pf.Header.FileSize.Should().Be(15320);
22 | pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-16T14: 40:31.2944718-07:00"));
23 | pf.RunCount.Should().Be(2);
24 |
25 | pf.VolumeCount.Should().Be(1);
26 | pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME2");
27 | pf.VolumeInformation[0].SerialNumber.Should().Be("7450B65F");
28 | pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-16T15:21:57.7889266-07:00"));
29 |
30 | pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(7);
31 | pf.VolumeInformation[0].DirectoryNames[3].Should()
32 | .Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\GLOBALIZATION\SORTING");
33 |
34 | pf.VolumeInformation[0].FileReferences.Count.Should().Be(35);
35 |
36 | pf.Filenames.Count.Should().Be(26);
37 | pf.Filenames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ADVAPI32.DLL");
38 |
39 | //For whatever reason the sequence # is 1 for both of these when looking at the entry # in the MFT using X-Ways
40 | pf.VolumeInformation[0].FileReferences[5].MFTEntryNumber.Should().Be((ulong) 0);
41 | pf.VolumeInformation[0].FileReferences[5].MFTSequenceNumber.Should().Be(null);
42 |
43 | pf.VolumeInformation[0].FileReferences[1].MFTEntryNumber.Should().Be((ulong) 18972);
44 | pf.VolumeInformation[0].FileReferences[1].MFTSequenceNumber.Should().Be(null);
45 | }
46 |
47 | [Test]
48 | public void TestWin2012RegEditPfProperties()
49 | {
50 | var file = Path.Combine(TestPrefetchMain.Win2012Path, @"REGEDIT.EXE-90FEEA06.pf");
51 | var pf = PrefetchFile.Open(file);
52 |
53 | pf.Header.ExecutableFilename.Should().Be("REGEDIT.EXE");
54 | pf.Header.Hash.Should().Be("90FEEA06");
55 | pf.Header.FileSize.Should().Be(22982);
56 | pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-16T14: 36:18.7186980-07:00"));
57 | pf.RunCount.Should().Be(1);
58 |
59 | pf.VolumeCount.Should().Be(1);
60 | pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME2");
61 | pf.VolumeInformation[0].SerialNumber.Should().Be("2E25F20A");
62 | pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-16T15:20:46.1666157-07:00"));
63 |
64 | pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(12);
65 | pf.VolumeInformation[0].DirectoryNames[3].Should()
66 | .Be(@"\DEVICE\HARDDISKVOLUME2\USERS\ADMINISTRATOR\APPDATA\LOCAL");
67 |
68 | pf.VolumeInformation[0].FileReferences.Count.Should().Be(62);
69 |
70 | pf.Filenames.Count.Should().Be(42);
71 |
72 | //For whatever reason the sequence # is 1 for both of these when looking at the entry #
73 | pf.VolumeInformation[0].FileReferences[5].MFTEntryNumber.Should().Be((ulong) 27324);
74 | pf.VolumeInformation[0].FileReferences[5].MFTSequenceNumber.Should().Be(null);
75 |
76 | pf.VolumeInformation[0].FileReferences[9].MFTEntryNumber.Should().Be((ulong) 29316);
77 | pf.VolumeInformation[0].FileReferences[9].MFTSequenceNumber.Should().Be(null);
78 | }
79 |
80 | [Test]
81 | public void TestWin8ChromePfProperties()
82 | {
83 | var file = Path.Combine(TestPrefetchMain.Win8xPath, @"CALC.EXE-77FDF17F.pf");
84 | var pf = PrefetchFile.Open(file);
85 |
86 | pf.Header.ExecutableFilename.Should().Be("CALC.EXE");
87 | pf.Header.Hash.Should().Be("77FDF17F");
88 | pf.Header.FileSize.Should().Be(22048);
89 | pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-16T14: 10:26.0583417-07:00"));
90 | pf.RunCount.Should().Be(2);
91 |
92 | pf.VolumeCount.Should().Be(1);
93 | pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME2");
94 | pf.VolumeInformation[0].SerialNumber.Should().Be("C6EE7444");
95 | pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-16T15:04:54.3519546-07:00"));
96 |
97 | pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(7);
98 | pf.VolumeInformation[0].DirectoryNames[3].Should()
99 | .Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\GLOBALIZATION\SORTING");
100 |
101 | pf.VolumeInformation[0].FileReferences.Count.Should().Be(46);
102 |
103 | pf.Filenames.Count.Should().Be(37);
104 | pf.Filenames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNELBASE.DLL");
105 |
106 | pf.VolumeInformation[0].FileReferences[5].MFTEntryNumber.Should().Be((ulong) 43858);
107 | pf.VolumeInformation[0].FileReferences[5].MFTSequenceNumber.Should().Be(1);
108 |
109 | pf.VolumeInformation[0].FileReferences[9].MFTEntryNumber.Should().Be((ulong) 46917);
110 | pf.VolumeInformation[0].FileReferences[9].MFTSequenceNumber.Should().Be(1);
111 | }
112 |
113 | [Test]
114 | public void TestWin8CmdPfProperties()
115 | {
116 | var file = Path.Combine(TestPrefetchMain.Win8xPath, @"_CMD.EXE-4A81B364.pf");
117 | var pf = PrefetchFile.Open(file);
118 |
119 | pf.Header.ExecutableFilename.Should().Be("CMD.EXE");
120 | pf.Header.Hash.Should().Be("4A81B364");
121 | pf.Header.FileSize.Should().Be(8590);
122 | pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-16T14: 25:41.5341178-07:00"));
123 | pf.RunCount.Should().Be(2);
124 |
125 | pf.VolumeCount.Should().Be(1);
126 | pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME2");
127 | pf.VolumeInformation[0].SerialNumber.Should().Be("A26E529A");
128 | pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-16T15:15:38.2977678-07:00"));
129 |
130 | pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(8);
131 | pf.VolumeInformation[0].DirectoryNames[3].Should()
132 | .Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\BRANDING\BASEBRD\EN-US");
133 |
134 | pf.VolumeInformation[0].FileReferences.Count.Should().Be(20);
135 |
136 | pf.Filenames.Count.Should().Be(12);
137 | pf.Filenames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNELBASE.DLL");
138 |
139 | pf.VolumeInformation[0].FileReferences[1].MFTEntryNumber.Should().Be((ulong) 44760);
140 | pf.VolumeInformation[0].FileReferences[1].MFTSequenceNumber.Should().Be(null);
141 | }
142 |
143 | [Test]
144 | public void Windows2012ShouldHaveVersionNumber26()
145 | {
146 | foreach (var file in Directory.GetFiles(TestPrefetchMain.Win2012Path, "*.pf"))
147 | {
148 | var pf = PrefetchFile.Open(file);
149 |
150 | pf.SourceFilename.Should().Be(file);
151 | pf.Header.Version.Should().Be(Version.Win8xOrWin2012x);
152 | }
153 |
154 | foreach (var file in Directory.GetFiles(TestPrefetchMain.Win2012R2Path, "*.pf"))
155 | {
156 | var pf = PrefetchFile.Open(file);
157 |
158 | pf.SourceFilename.Should().Be(file);
159 | pf.Header.Version.Should().Be(Version.Win8xOrWin2012x);
160 | }
161 | }
162 |
163 | [Test]
164 | public void Windows8xShouldHaveVersionNumber26()
165 | {
166 | foreach (var file in Directory.GetFiles(TestPrefetchMain.Win8xPath, "*.pf"))
167 | {
168 | var pf = PrefetchFile.Open(file);
169 |
170 | var totalDirs = 0;
171 | foreach (var volumeInfo in pf.VolumeInformation)
172 | {
173 | totalDirs += volumeInfo.DirectoryNames.Count;
174 | }
175 |
176 | pf.TotalDirectoryCount.Should().Be(totalDirs);
177 |
178 | pf.SourceFilename.Should().Be(file);
179 | pf.Header.Version.Should().Be(Version.Win8xOrWin2012x);
180 | }
181 | }
182 | }
--------------------------------------------------------------------------------
/Prefetch.Test/TestVersion30.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using FluentAssertions;
4 | using NUnit.Framework;
5 |
6 | namespace Prefetch.Test;
7 |
8 | [TestFixture]
9 | public class TestVersion30
10 | {
11 | [Test]
12 | public void TestWin10ChromePfProperties()
13 | {
14 | var file = Path.Combine(TestPrefetchMain.Win10Path, @"CHROME.EXE-B3BA7868.pf");
15 | var pf = PrefetchFile.Open(file);
16 |
17 | pf.Header.ExecutableFilename.Should().Be("CHROME.EXE");
18 | pf.Header.Hash.Should().Be("B3BA7868");
19 | pf.Header.FileSize.Should().Be(116042);
20 | pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-13T11: 06:55.3344577-07:00"));
21 | pf.RunCount.Should().Be(20);
22 |
23 | pf.VolumeCount.Should().Be(1);
24 | pf.VolumeInformation[0].DeviceName.Should().Be(@"\VOLUME{01d1217a9c4c6779-8c9f49ec}");
25 | pf.VolumeInformation[0].SerialNumber.Should().Be("8C9F49EC");
26 | pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2015-11-17T13:57:46.2434681-07:00"));
27 |
28 | pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(23);
29 | pf.VolumeInformation[0].DirectoryNames[3].Should()
30 | .Be(@"\VOLUME{01d1217a9c4c6779-8c9f49ec}\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION");
31 |
32 | pf.VolumeInformation[0].FileReferences.Count.Should().Be(284);
33 |
34 | pf.LastRunTimes.Count.Should().Be(8);
35 |
36 | pf.Filenames.Count.Should().Be(282);
37 | pf.Filenames[3].Should().Be(@"\VOLUME{01d1217a9c4c6779-8c9f49ec}\WINDOWS\SYSTEM32\KERNEL32.DLL");
38 |
39 | pf.VolumeInformation[0].FileReferences[5].MFTEntryNumber.Should().Be((ulong) 55125);
40 | pf.VolumeInformation[0].FileReferences[5].MFTSequenceNumber.Should().Be(1);
41 |
42 | pf.VolumeInformation[0].FileReferences[9].MFTEntryNumber.Should().Be((ulong) 117682);
43 | pf.VolumeInformation[0].FileReferences[9].MFTSequenceNumber.Should().Be(2);
44 | }
45 |
46 | [Test]
47 | public void TestWin10DcodeDecodePfProperties()
48 | {
49 | var file = Path.Combine(TestPrefetchMain.Win10Path, @"DCODEDCODEDCODEDCODEDCODEDCOD-E65B9FE8.pf");
50 | var pf = PrefetchFile.Open(file);
51 |
52 | //PrefetchFile.DumpToJson(pf, true, @"D:\temp\DCODEDCODEDCODEDCODEDCODEDCOD.json");
53 |
54 | pf.Header.ExecutableFilename.Should().Be("DCODEDCODEDCODEDCODEDCODEDCOD");
55 | pf.Header.Hash.Should().Be("E65B9FE8");
56 | pf.Header.FileSize.Should().Be(33606);
57 | pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-13T15: 47:25.7480759-07:00"));
58 | pf.RunCount.Should().Be(2);
59 |
60 | pf.VolumeCount.Should().Be(2);
61 | pf.VolumeInformation[0].DeviceName.Should().Be(@"\VOLUME{01d12173f395296c-66f451bc}");
62 | pf.VolumeInformation[0].SerialNumber.Should().Be("66F451BC");
63 | pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2015-11-17T13:10:06.2049644-07:00"));
64 |
65 | pf.VolumeInformation[1].DeviceName.Should().Be(@"\VOLUME{01d1217a9c4c6779-8c9f49ec}");
66 | pf.VolumeInformation[1].SerialNumber.Should().Be("8C9F49EC");
67 | pf.VolumeInformation[1].CreationTime.Should().Be(DateTimeOffset.Parse("2015-11-17T13:57:46.2434681-07:00"));
68 |
69 |
70 | pf.VolumeInformation[1].DirectoryNames.Count.Should().Be(19);
71 |
72 | pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(1);
73 | pf.VolumeInformation[0].DirectoryNames[0].Should()
74 | .Be(@"\VOLUME{01d12173f395296c-66f451bc}\TEMP");
75 |
76 | pf.VolumeInformation[0].FileReferences.Count.Should().Be(2);
77 | pf.VolumeInformation[1].FileReferences.Count.Should().Be(85);
78 |
79 |
80 | pf.Filenames.Count.Should().Be(57);
81 | pf.Filenames[3].Should().Be(@"\VOLUME{01d1217a9c4c6779-8c9f49ec}\WINDOWS\SYSTEM32\KERNEL32.DLL");
82 |
83 | pf.VolumeInformation[1].FileReferences[12].MFTEntryNumber.Should().Be((ulong) 357876);
84 | pf.VolumeInformation[1].FileReferences[12].MFTSequenceNumber.Should().Be(1);
85 |
86 | pf.VolumeInformation[0].FileReferences[1].MFTEntryNumber.Should().Be((ulong) 305846);
87 | pf.VolumeInformation[0].FileReferences[1].MFTSequenceNumber.Should().Be(2);
88 | }
89 |
90 | [Test]
91 | public void TestWin10DevEnvPfProperties()
92 | {
93 | var file = Path.Combine(TestPrefetchMain.Win10Path, @"DEVENV.EXE-854D7862.pf");
94 | var pf = PrefetchFile.Open(file);
95 |
96 | //PrefetchFile.DumpToJson(pf, true, @"D:\temp\DEVENV.json");
97 |
98 | pf.Header.ExecutableFilename.Should().Be("DEVENV.EXE");
99 | pf.Header.Hash.Should().Be("854D7862");
100 | pf.Header.FileSize.Should().Be(380690);
101 | pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-13T09: 50:34.6578416-07:00,"));
102 | pf.RunCount.Should().Be(54);
103 |
104 | pf.VolumeCount.Should().Be(1);
105 | pf.VolumeInformation[0].DeviceName.Should().Be(@"\VOLUME{01d1217a9c4c6779-8c9f49ec}");
106 | pf.VolumeInformation[0].SerialNumber.Should().Be("8C9F49EC");
107 | pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2015-11-17T13:57:46.2434681-07:00"));
108 |
109 | pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(516);
110 | pf.VolumeInformation[0].DirectoryNames[3].Should()
111 | .Be(@"\VOLUME{01d1217a9c4c6779-8c9f49ec}\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\MSENV");
112 |
113 | pf.VolumeInformation[0].FileReferences.Count.Should().Be(681);
114 |
115 | pf.Filenames.Count.Should().Be(403);
116 | pf.Filenames[3].Should()
117 | .Be(
118 | @"\VOLUME{01d1217a9c4c6779-8c9f49ec}\PROGRAM FILES (X86)\MICROSOFT VISUAL STUDIO 14.0\COMMON7\IDE\MICROSOFT.VISUALSTUDIO.ACTIVITIES.DLL");
119 |
120 | pf.VolumeInformation[0].FileReferences[6].MFTEntryNumber.Should().Be((ulong) 148922);
121 | pf.VolumeInformation[0].FileReferences[6].MFTSequenceNumber.Should().Be(1);
122 |
123 | pf.VolumeInformation[0].FileReferences[8].MFTEntryNumber.Should().Be((ulong) 219686);
124 | pf.VolumeInformation[0].FileReferences[8].MFTSequenceNumber.Should().Be(2);
125 | }
126 |
127 | [Test]
128 | public void Windows10ShouldHaveVersionNumber30()
129 | {
130 | foreach (var file in Directory.GetFiles(TestPrefetchMain.Win10Path, "*.pf"))
131 | {
132 | var pf = PrefetchFile.Open(file);
133 |
134 | var totalDirs = 0;
135 | foreach (var volumeInfo in pf.VolumeInformation)
136 | {
137 | totalDirs += volumeInfo.DirectoryNames.Count;
138 | }
139 |
140 | pf.TotalDirectoryCount.Should().Be(totalDirs);
141 |
142 |
143 | pf.SourceFilename.Should().Be(file);
144 | pf.Header.Version.Should().Be(Version.Win10OrWin11);
145 | }
146 | }
147 | }
--------------------------------------------------------------------------------
/Prefetch.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 14
4 | VisualStudioVersion = 14.0.24720.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Prefetch", "Prefetch\Prefetch.csproj", "{BCCC1F29-F864-471A-B884-9B0F26CF75E8}"
7 | EndProject
8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Prefetch.Test", "Prefetch.Test\Prefetch.Test.csproj", "{67237A19-D85C-42DE-9C52-80F5C0961275}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|Any CPU = Debug|Any CPU
13 | Release|Any CPU = Release|Any CPU
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {BCCC1F29-F864-471A-B884-9B0F26CF75E8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | {BCCC1F29-F864-471A-B884-9B0F26CF75E8}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | {BCCC1F29-F864-471A-B884-9B0F26CF75E8}.Release|Any CPU.ActiveCfg = Release|Any CPU
19 | {BCCC1F29-F864-471A-B884-9B0F26CF75E8}.Release|Any CPU.Build.0 = Release|Any CPU
20 | {67237A19-D85C-42DE-9C52-80F5C0961275}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
21 | {67237A19-D85C-42DE-9C52-80F5C0961275}.Debug|Any CPU.Build.0 = Debug|Any CPU
22 | {67237A19-D85C-42DE-9C52-80F5C0961275}.Release|Any CPU.ActiveCfg = Release|Any CPU
23 | {67237A19-D85C-42DE-9C52-80F5C0961275}.Release|Any CPU.Build.0 = Release|Any CPU
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | EndGlobal
29 |
--------------------------------------------------------------------------------
/Prefetch/IPrefetch.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.ComponentModel;
4 | using Prefetch.Other;
5 |
6 | namespace Prefetch;
7 |
8 | public enum Version
9 | {
10 | [Description("Windows XP or Windows Server 2003")]
11 | WinXpOrWin2K3 = 17,
12 | [Description("Windows Vista or Windows 7")]
13 | VistaOrWin7 = 23,
14 | [Description("Windows 8.0, Windows 8.1, or Windows Server 2012(R2)")]
15 | Win8xOrWin2012x = 26,
16 | [Description("Windows 10 or Windows 11")]
17 | Win10OrWin11 = 30,
18 | [Description("Windows 11")]
19 | Win11 = 31
20 | }
21 |
22 | public interface IPrefetch
23 | {
24 |
25 | byte[] RawBytes { get; }
26 | string SourceFilename { get; }
27 | DateTimeOffset SourceCreatedOn { get; }
28 | DateTimeOffset SourceModifiedOn { get; }
29 | DateTimeOffset SourceAccessedOn { get; }
30 |
31 | Header Header { get; }
32 |
33 | int FileMetricsOffset { get; }
34 |
35 | int FileMetricsCount { get; }
36 |
37 | int TraceChainsOffset { get; }
38 |
39 | int TraceChainsCount { get; }
40 |
41 | int FilenameStringsOffset { get; }
42 |
43 | int FilenameStringsSize { get; }
44 |
45 | int VolumesInfoOffset { get; }
46 |
47 | int VolumeCount { get; }
48 |
49 | int VolumesInfoSize { get; }
50 |
51 | int TotalDirectoryCount { get; }
52 |
53 | List LastRunTimes { get; }
54 | List VolumeInformation { get; }
55 |
56 | int RunCount { get; }
57 |
58 | bool ParsingError { get; }
59 |
60 |
61 | List Filenames { get; }
62 |
63 | List FileMetrics { get; }
64 |
65 | List TraceChains { get; }
66 | }
--------------------------------------------------------------------------------
/Prefetch/Other/FileMetric.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Linq;
3 |
4 | namespace Prefetch.Other;
5 |
6 | public class FileMetric
7 | {
8 | public FileMetric(byte[] rawBytes, bool ver17)
9 | {
10 | if (ver17)
11 | {
12 | Unknown0 = BitConverter.ToInt32(rawBytes, 0);
13 | Unknown1 = BitConverter.ToInt32(rawBytes, 4);
14 |
15 | FilenameStringOffset = BitConverter.ToInt32(rawBytes, 8);
16 | FilenameStringSize = BitConverter.ToInt32(rawBytes, 12);
17 |
18 | Unknown2 = BitConverter.ToInt32(rawBytes, 16);
19 | }
20 | else
21 | {
22 | Unknown0 = BitConverter.ToInt32(rawBytes, 0);
23 | Unknown1 = BitConverter.ToInt32(rawBytes, 4);
24 | Unknown2 = BitConverter.ToInt32(rawBytes, 8);
25 |
26 | FilenameStringOffset = BitConverter.ToInt32(rawBytes, 12);
27 | FilenameStringSize = BitConverter.ToInt32(rawBytes, 16);
28 |
29 | Unknown3 = BitConverter.ToInt32(rawBytes, 20);
30 |
31 | MFTInfo = new MFTInformation(rawBytes.Skip(24).Take(8).ToArray());
32 | }
33 | }
34 |
35 | public int Unknown0 { get; }
36 | public int Unknown1 { get; }
37 | public int FilenameStringOffset { get; }
38 | public int FilenameStringSize { get; }
39 | public int Unknown2 { get; }
40 | public int Unknown3 { get; }
41 | public MFTInformation MFTInfo { get; }
42 |
43 | public override string ToString()
44 | {
45 | return $"Filename offset: 0x{FilenameStringOffset:X}, Size: {FilenameStringSize}, MFT: {MFTInfo}";
46 | }
47 | }
--------------------------------------------------------------------------------
/Prefetch/Other/Header.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Text;
3 |
4 | namespace Prefetch.Other;
5 |
6 | public class Header
7 | {
8 | public Header(byte[] rawBytes)
9 | {
10 | var index = 0;
11 |
12 | var ver = BitConverter.ToInt32(rawBytes, 0);
13 |
14 | switch (ver)
15 | {
16 | case (int) Version.WinXpOrWin2K3:
17 | Version = Version.WinXpOrWin2K3;
18 | break;
19 | case (int) Version.VistaOrWin7:
20 | Version = Version.VistaOrWin7;
21 | break;
22 | case (int) Version.Win8xOrWin2012x:
23 | Version = Version.Win8xOrWin2012x;
24 | break;
25 | case (int) Version.Win10OrWin11:
26 | Version = Version.Win10OrWin11;
27 | break;
28 | }
29 |
30 | index += 4; //version
31 |
32 | Signature = Encoding.ASCII.GetString(rawBytes, index, 4);
33 |
34 | index += 4; //signature
35 | index += 4; //unknown
36 |
37 | FileSize = BitConverter.ToInt32(rawBytes, index);
38 | index += 4;
39 |
40 | var tempName = Encoding.Unicode.GetString(rawBytes, index, 60);
41 | ExecutableFilename = tempName.Substring(0, tempName.IndexOf('\0')).Trim();
42 |
43 | index += 60;
44 |
45 | Hash = BitConverter.ToInt32(rawBytes, index).ToString("X");
46 | }
47 |
48 | public Version Version { get; }
49 | public string Signature { get; }
50 |
51 | public int FileSize { get; }
52 |
53 | public string ExecutableFilename { get; }
54 |
55 | public string Hash { get; }
56 |
57 | public override string ToString()
58 | {
59 | return
60 | $"Version: {Version}, Sig: {Signature}, File size: {FileSize}, Executable name: {ExecutableFilename}, Hash: {Hash}";
61 | }
62 | }
--------------------------------------------------------------------------------
/Prefetch/Other/MFTInformation.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace Prefetch.Other;
4 |
5 | public class MFTInformation
6 | {
7 | public MFTInformation()
8 | {
9 | }
10 |
11 | public MFTInformation(byte[] rawMFTInfo)
12 | {
13 | if (rawMFTInfo.Length != 8)
14 | {
15 | throw new ArgumentException("rawMFTInfo must be 8 bytes long!");
16 | }
17 |
18 | var sequenceNumber = BitConverter.ToUInt16(rawMFTInfo, 6);
19 |
20 | ulong entryIndex = 0;
21 |
22 | ulong entryIndex1 = BitConverter.ToUInt32(rawMFTInfo, 0);
23 | ulong entryIndex2 = BitConverter.ToUInt16(rawMFTInfo, 4);
24 |
25 | if (entryIndex2 == 0)
26 | {
27 | entryIndex = entryIndex1;
28 | }
29 | else
30 | {
31 | entryIndex2 *= 16777216; //2^24
32 | entryIndex = entryIndex1 + entryIndex2;
33 | }
34 |
35 | MFTEntryNumber = entryIndex;
36 | MFTSequenceNumber = sequenceNumber;
37 |
38 | if (sequenceNumber == 0)
39 | {
40 | MFTSequenceNumber = null;
41 | }
42 |
43 |
44 | }
45 |
46 | public ulong? MFTEntryNumber { get; set; }
47 |
48 | public int? MFTSequenceNumber { get; set; }
49 |
50 |
51 | public override string ToString()
52 | {
53 | return $"Entry: {MFTEntryNumber}, Seq: {MFTSequenceNumber}";
54 | }
55 | }
--------------------------------------------------------------------------------
/Prefetch/Other/TraceChain.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace Prefetch.Other;
4 |
5 | public class TraceChain
6 | {
7 | public TraceChain(byte[] rawBytes, bool ver30)
8 | {
9 | if (ver30)
10 | {
11 | TotalBlockLoadCount = BitConverter.ToInt32(rawBytes, 0);
12 | Unknown0 = rawBytes[4];
13 | Unknown1 = rawBytes[5];
14 | Unknown2 = BitConverter.ToInt16(rawBytes, 6);
15 | }
16 | else
17 | {
18 | NextArrayEntryIndex = BitConverter.ToInt32(rawBytes, 0);
19 | TotalBlockLoadCount = BitConverter.ToInt32(rawBytes, 4);
20 | Unknown0 = rawBytes[8];
21 | Unknown1 = rawBytes[9];
22 | Unknown2 = BitConverter.ToInt16(rawBytes, 10);
23 | }
24 | }
25 |
26 | public int NextArrayEntryIndex { get; }
27 | public int TotalBlockLoadCount { get; }
28 | public byte Unknown0 { get; }
29 | public byte Unknown1 { get; }
30 | public short Unknown2 { get; }
31 |
32 | public override string ToString()
33 | {
34 | return $"Next index: {NextArrayEntryIndex}, Total block load count: {TotalBlockLoadCount}";
35 | }
36 | }
--------------------------------------------------------------------------------
/Prefetch/Other/VolumeInfo.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 |
4 | namespace Prefetch.Other;
5 |
6 | public class VolumeInfo
7 | {
8 | public VolumeInfo(int offset, DateTimeOffset createdOn, string serialNum, string deviceName)
9 | {
10 | DeviceOffset = offset;
11 | CreationTime = createdOn;
12 | SerialNumber = serialNum;
13 | DeviceName = deviceName;
14 |
15 | FileReferences = new List();
16 | DirectoryNames = new List();
17 | }
18 |
19 | public int DeviceOffset { get; }
20 | public DateTimeOffset CreationTime { get; }
21 | public string SerialNumber { get; }
22 | public string DeviceName { get; }
23 |
24 | public List FileReferences { get; }
25 |
26 | public List DirectoryNames { get; }
27 | }
--------------------------------------------------------------------------------
/Prefetch/Prefetch.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 | netstandard2.0
4 | MIT
5 | Eric Zimmerman
6 | Eric Zimmerman
7 | 10
8 | Prefetch
9 | Windows Prefetch parser. Supports all known versions from Windows XP to Windows 11
10 | Eric Zimmerman
11 | https://github.com/EricZimmerman/Prefetch
12 | https://github.com/EricZimmerman/Prefetch
13 | Windows Prefetch
14 | true
15 | 1.3.0
16 |
17 | pf, prefetch
18 | README.md
19 | icon.png
20 | True
21 |
22 | $(NoWarn);CS1591
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 | all
31 | runtime; build; native; contentfiles; analyzers; buildtransitive
32 |
33 |
34 | all
35 | runtime; build; native; contentfiles; analyzers; buildtransitive
36 |
37 |
38 |
--------------------------------------------------------------------------------
/Prefetch/PrefetchFile.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Diagnostics;
3 | using System.IO;
4 | using System.Linq;
5 | using System.Text;
6 | using Prefetch.Versions;
7 | using Prefetch.XpressStream;
8 | using Serilog;
9 |
10 |
11 | namespace Prefetch;
12 |
13 | public class PrefetchFile
14 | {
15 | private const int Signature = 0x41434353;
16 |
17 | public static void SavePrefetch(string file, IPrefetch pf)
18 | {
19 | Log.Debug("Writing raw bytes to {File}",file);
20 | File.WriteAllBytes(file, pf.RawBytes);
21 | }
22 |
23 | public static IPrefetch Open(Stream stream, string file)
24 | {
25 | IPrefetch pf = null;
26 |
27 | var rawBytes = new byte[stream.Length];
28 | stream.Read(rawBytes, (int) 0, (int) (rawBytes.Length));
29 |
30 | var tempSig = Encoding.ASCII.GetString(rawBytes, 0, 3);
31 |
32 | if (tempSig.Equals("MAM"))
33 | {
34 | //windows 10/11, so we need to decompress
35 | Log.Debug("Found Windows 1x prefetch file. Decompressing",file);
36 |
37 | //Size of decompressed data is at offset 4
38 | var size = BitConverter.ToUInt32(rawBytes, 4);
39 |
40 | //get our compressed bytes (skipping signature and uncompressed size)
41 | var compressedBytes = rawBytes.Skip(8).ToArray();
42 | var decom = Xpress2.Decompress(compressedBytes, size);
43 |
44 | //update rawBytes with decompressed bytes so the rest works
45 | rawBytes = decom;
46 | }
47 |
48 | //at this point we have prefetch bytes we can process
49 |
50 | var fileVer = (Version) BitConverter.ToInt32(rawBytes, 0);
51 |
52 | var sig = BitConverter.ToInt32(rawBytes, 4);
53 |
54 | if (sig != Signature)
55 | {
56 | throw new Exception("Invalid signature! Should be 'SCCA'");
57 | }
58 |
59 | switch (fileVer)
60 | {
61 | case Version.WinXpOrWin2K3:
62 | pf = new Version17(rawBytes, file);
63 | break;
64 | case Version.VistaOrWin7:
65 | pf = new Version23(rawBytes, file);
66 | break;
67 | case Version.Win8xOrWin2012x:
68 | pf = new Version26(rawBytes, file);
69 | break;
70 | case Version.Win10OrWin11:
71 | pf = new Version30or31(rawBytes, file);
72 | break;
73 | case Version.Win11:
74 | pf = new Version30or31(rawBytes, file);
75 | break;
76 | default:
77 | throw new Exception($"Unknown version '{fileVer:X}'");
78 | }
79 |
80 | return pf;
81 | }
82 |
83 | public static IPrefetch Open(string file)
84 | {
85 | Log.Debug("Opening {File}",file);
86 | using var fs = new FileStream(file,FileMode.Open,FileAccess.Read);
87 | return Open(fs,file);
88 | }
89 | }
--------------------------------------------------------------------------------
/Prefetch/Versions/Version17.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.IO;
4 | using System.Linq;
5 | using System.Text;
6 | using Prefetch.Other;
7 | using Serilog;
8 |
9 | namespace Prefetch.Versions;
10 |
11 | public class Version17 : IPrefetch
12 | {
13 | public Version17(byte[] rawBytes, string sourceFilename)
14 | {
15 | SourceFilename = sourceFilename;
16 |
17 | RawBytes = rawBytes;
18 |
19 | try
20 | {
21 |
22 | var headerBytes = new byte[84];
23 | Buffer.BlockCopy(rawBytes, 0, headerBytes, 0, 84);
24 |
25 | Header = new Header(headerBytes);
26 |
27 | try
28 | {
29 | var fi = new FileInfo(sourceFilename);
30 | SourceCreatedOn = new DateTimeOffset(fi.CreationTimeUtc);
31 | SourceModifiedOn = new DateTimeOffset(fi.LastWriteTimeUtc);
32 | SourceAccessedOn = new DateTimeOffset(fi.LastAccessTimeUtc);
33 | }
34 | catch (Exception )
35 | {
36 |
37 | }
38 |
39 | var fileInfoBytes = new byte[68];
40 | Buffer.BlockCopy(rawBytes, 84, fileInfoBytes, 0, 68);
41 |
42 | FileMetricsOffset = BitConverter.ToInt32(fileInfoBytes, 0);
43 | FileMetricsCount = BitConverter.ToInt32(fileInfoBytes, 4);
44 |
45 | TraceChainsOffset = BitConverter.ToInt32(fileInfoBytes, 8);
46 | TraceChainsCount = BitConverter.ToInt32(fileInfoBytes, 12);
47 |
48 | FilenameStringsOffset = BitConverter.ToInt32(fileInfoBytes, 16);
49 | FilenameStringsSize = BitConverter.ToInt32(fileInfoBytes, 20);
50 |
51 | VolumesInfoOffset = BitConverter.ToInt32(fileInfoBytes, 24);
52 | VolumeCount = BitConverter.ToInt32(fileInfoBytes, 28);
53 |
54 | VolumesInfoSize = BitConverter.ToInt32(fileInfoBytes, 32);
55 |
56 | var rawTime = BitConverter.ToInt64(fileInfoBytes, 36);
57 |
58 | LastRunTimes = new List();
59 |
60 | LastRunTimes.Add(DateTimeOffset.FromFileTime(rawTime).ToUniversalTime());
61 |
62 | TotalDirectoryCount = -1;
63 |
64 | RunCount = BitConverter.ToInt32(fileInfoBytes, 60);
65 |
66 | var fileMetricsBytes = new byte[FileMetricsCount * 20];
67 | Buffer.BlockCopy(rawBytes, FileMetricsOffset, fileMetricsBytes, 0, FileMetricsCount * 20);
68 | var tempIndex = 0;
69 |
70 | FileMetrics = new List();
71 |
72 | var fileMetricsTempBuffer = new byte[20];
73 | while (tempIndex < fileMetricsBytes.Length)
74 | {
75 | Buffer.BlockCopy(fileMetricsBytes, tempIndex, fileMetricsTempBuffer, 0, 20);
76 | FileMetrics.Add(new FileMetric(fileMetricsTempBuffer, true));
77 | tempIndex += 20;
78 | }
79 |
80 | TraceChains = new List();
81 |
82 | var traceChainBytes = new byte[12 * TraceChainsCount];
83 | Buffer.BlockCopy(rawBytes, TraceChainsOffset, traceChainBytes, 0, 12 * TraceChainsCount);
84 | var traceIndex = 0;
85 | var traceChainTempBuffer = new byte[12];
86 | while (traceIndex < traceChainBytes.Length)
87 | {
88 | Buffer.BlockCopy(traceChainBytes, traceIndex, traceChainTempBuffer, 0, 12);
89 | TraceChains.Add(new TraceChain(traceChainTempBuffer, false));
90 | traceIndex += 12;
91 | }
92 |
93 | var filenameStringsBytes = new byte[FilenameStringsSize];
94 | Buffer.BlockCopy(rawBytes, FilenameStringsOffset, filenameStringsBytes, 0, FilenameStringsSize);
95 |
96 | var filenamesRaw = Encoding.Unicode.GetString(filenameStringsBytes);
97 | var fileNames = filenamesRaw.Split(new[] {'\0'}, StringSplitOptions.RemoveEmptyEntries);
98 |
99 | Filenames = new List();
100 |
101 | Filenames.AddRange(fileNames);
102 |
103 | var volumeInfoBytes = new byte[VolumesInfoSize];
104 | Buffer.BlockCopy(rawBytes, VolumesInfoOffset, volumeInfoBytes, 0, VolumesInfoSize);
105 |
106 | VolumeInformation = new List();
107 |
108 | var volBytes = new byte[40];
109 | for (var j = 0; j < VolumeCount; j++)
110 | {
111 | var skipSize = j*40;
112 | Buffer.BlockCopy(volumeInfoBytes, skipSize, volBytes, 0, 40);
113 |
114 | var volDevOffset = BitConverter.ToInt32(volBytes, 0);
115 | var volDevNumChar = BitConverter.ToInt32(volBytes, 4);
116 |
117 | var ct = BitConverter.ToInt64(volBytes, 8);
118 |
119 | var devNameBytes = new byte[volDevNumChar * 2];
120 | Buffer.BlockCopy(rawBytes, VolumesInfoOffset + volDevOffset, devNameBytes, 0, volDevNumChar * 2);
121 | var devName = Encoding.Unicode.GetString(devNameBytes);
122 |
123 | var sn = BitConverter.ToInt32(volBytes, 16).ToString("X");
124 |
125 | VolumeInformation.Add(new VolumeInfo(volDevOffset, DateTimeOffset.FromFileTime(ct).ToUniversalTime(), sn, devName));
126 |
127 | var fileRefOffset = BitConverter.ToInt32(volBytes, 20);
128 | var fileRefSize = BitConverter.ToInt32(volBytes, 24);
129 |
130 | var dirStringsOffset = BitConverter.ToInt32(volBytes, 28);
131 | var numDirectoryStrings = BitConverter.ToInt32(volBytes, 32);
132 |
133 | //filerefs are at VolumesInfoOffset + fileRefOffset
134 | var fileRefsIndex = VolumesInfoOffset + fileRefOffset;
135 | var fileRefBytes = new byte[fileRefSize];
136 | Buffer.BlockCopy(rawBytes, fileRefsIndex, fileRefBytes, 0, fileRefSize);
137 |
138 | var fileRefVer = BitConverter.ToInt32(fileRefBytes, 0);
139 | var numFileRefs = BitConverter.ToInt32(fileRefBytes, 4);
140 |
141 | tempIndex = 8;
142 |
143 | var tempFileRefBytes = new byte[8];
144 | while (tempIndex < fileRefBytes.Length && VolumeInformation.Last().FileReferences.Count < numFileRefs)
145 | {
146 | Buffer.BlockCopy(fileRefBytes, tempIndex, tempFileRefBytes, 0, 8);
147 | VolumeInformation.Last()
148 | .FileReferences.Add(new MFTInformation(tempFileRefBytes));
149 | tempIndex += 8;
150 | }
151 |
152 | var dirStringsIndex = VolumesInfoOffset + dirStringsOffset;
153 | var dirStringsBytes = new byte[rawBytes.Length - dirStringsIndex];
154 | Buffer.BlockCopy(rawBytes, dirStringsIndex, dirStringsBytes, 0, rawBytes.Length - dirStringsIndex);
155 |
156 | tempIndex = 0;
157 | for (var k = 0; k < numDirectoryStrings; k++)
158 | {
159 | var dirCharCount = BitConverter.ToInt16(dirStringsBytes, tempIndex)*2 + 2;
160 | // double the count since its Unicode and add 2 extra for null char
161 | tempIndex += 2;
162 | var dirName = Encoding.Unicode.GetString(dirStringsBytes, tempIndex, dirCharCount).Trim('\0');
163 | VolumeInformation.Last().DirectoryNames.Add(dirName);
164 |
165 | tempIndex += dirCharCount;
166 | }
167 | }
168 | }
169 | catch (Exception ex)
170 | {
171 | Log.Error(ex,"Error processing {File}. Message: {Message}",sourceFilename,ex.Message);
172 | ParsingError = true;
173 | }
174 |
175 | }
176 |
177 |
178 |
179 | public byte[] RawBytes { get; }
180 |
181 | public string SourceFilename { get; }
182 | public DateTimeOffset SourceCreatedOn { get; }
183 | public DateTimeOffset SourceModifiedOn { get; }
184 | public DateTimeOffset SourceAccessedOn { get; }
185 | public Header Header { get; }
186 |
187 | public int FileMetricsOffset { get; }
188 | public int FileMetricsCount { get; }
189 | public int TraceChainsOffset { get; }
190 | public int TraceChainsCount { get; }
191 | public int FilenameStringsOffset { get; }
192 | public int FilenameStringsSize { get; }
193 | public int VolumesInfoOffset { get; }
194 | public int VolumeCount { get; }
195 | public int VolumesInfoSize { get; }
196 | public int TotalDirectoryCount { get; }
197 | public List LastRunTimes { get; }
198 | public List VolumeInformation { get; }
199 | public int RunCount { get; }
200 | public List Filenames { get; }
201 | public bool ParsingError { get; }
202 | public List FileMetrics { get; }
203 | public List TraceChains { get; }
204 | }
--------------------------------------------------------------------------------
/Prefetch/Versions/Version23.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.IO;
4 | using System.Linq;
5 | using System.Text;
6 | using Prefetch.Other;
7 | using Serilog;
8 |
9 | namespace Prefetch.Versions;
10 |
11 | public class Version23 : IPrefetch
12 | {
13 | public Version23(byte[] rawBytes, string sourceFilename)
14 | {
15 | SourceFilename = sourceFilename;
16 |
17 | RawBytes = rawBytes;
18 |
19 | try
20 | {
21 |
22 | var headerBytes = new byte[84];
23 | Buffer.BlockCopy(rawBytes, 0, headerBytes, 0, 84);
24 |
25 | Header = new Header(headerBytes);
26 |
27 | try
28 | {
29 | var fi = new FileInfo(sourceFilename);
30 | SourceCreatedOn = new DateTimeOffset(fi.CreationTimeUtc);
31 | SourceModifiedOn = new DateTimeOffset(fi.LastWriteTimeUtc);
32 | SourceAccessedOn = new DateTimeOffset(fi.LastAccessTimeUtc);
33 | }
34 | catch (Exception )
35 | {
36 |
37 | }
38 |
39 | var fileInfoBytes = new byte[156];
40 | Buffer.BlockCopy(rawBytes, 84, fileInfoBytes, 0, 156);
41 |
42 | FileMetricsOffset = BitConverter.ToInt32(fileInfoBytes, 0);
43 | FileMetricsCount = BitConverter.ToInt32(fileInfoBytes, 4);
44 |
45 | TraceChainsOffset = BitConverter.ToInt32(fileInfoBytes, 8);
46 | TraceChainsCount = BitConverter.ToInt32(fileInfoBytes, 12);
47 |
48 | FilenameStringsOffset = BitConverter.ToInt32(fileInfoBytes, 16);
49 | FilenameStringsSize = BitConverter.ToInt32(fileInfoBytes, 20);
50 |
51 | VolumesInfoOffset = BitConverter.ToInt32(fileInfoBytes, 24);
52 | VolumeCount = BitConverter.ToInt32(fileInfoBytes, 28);
53 |
54 | VolumesInfoSize = BitConverter.ToInt32(fileInfoBytes, 32);
55 |
56 | //at offset 36 there are 8 unknown bytes
57 | TotalDirectoryCount = BitConverter.ToInt32(fileInfoBytes, 36);
58 |
59 | var rawTime = BitConverter.ToInt64(fileInfoBytes, 44);
60 |
61 | LastRunTimes = new List();
62 |
63 | LastRunTimes.Add(DateTimeOffset.FromFileTime(rawTime).ToUniversalTime());
64 |
65 | //at offset 52 there are 16 unknown bytes
66 |
67 | RunCount = BitConverter.ToInt32(fileInfoBytes, 68);
68 |
69 | //at offset 72, there are 4 unknown bytes
70 | //at offset 76, there are 80 unknown bytes
71 |
72 | var fileMetricsBytes = new byte[FileMetricsCount * 32];
73 | Buffer.BlockCopy(rawBytes, FileMetricsOffset, fileMetricsBytes, 0, FileMetricsCount * 32);
74 | var tempIndex = 0;
75 |
76 | FileMetrics = new List();
77 |
78 | var fileMetricsTempBuffer = new byte[32];
79 | while (tempIndex < fileMetricsBytes.Length)
80 | {
81 | Buffer.BlockCopy(fileMetricsBytes, tempIndex, fileMetricsTempBuffer, 0, 32);
82 | FileMetrics.Add(new FileMetric(fileMetricsTempBuffer, false));
83 | tempIndex += 32;
84 | }
85 |
86 | TraceChains = new List();
87 |
88 | var traceChainBytes = new byte[12 * TraceChainsCount];
89 | Buffer.BlockCopy(rawBytes, TraceChainsOffset, traceChainBytes, 0, 12 * TraceChainsCount);
90 | var traceIndex = 0;
91 | var traceChainTempBuffer = new byte[12];
92 | while (traceIndex < traceChainBytes.Length)
93 | {
94 | Buffer.BlockCopy(traceChainBytes, traceIndex, traceChainTempBuffer, 0, 12);
95 | TraceChains.Add(new TraceChain(traceChainTempBuffer, false));
96 | traceIndex += 12;
97 | }
98 |
99 | var filenameStringsBytes = new byte[FilenameStringsSize];
100 | Buffer.BlockCopy(rawBytes, FilenameStringsOffset, filenameStringsBytes, 0, FilenameStringsSize);
101 |
102 | var filenamesRaw = Encoding.Unicode.GetString(filenameStringsBytes);
103 | var fileNames = filenamesRaw.Split(new[] {'\0'}, StringSplitOptions.RemoveEmptyEntries);
104 |
105 | Filenames = new List();
106 |
107 | Filenames.AddRange(fileNames);
108 |
109 | var volumeInfoBytes = new byte[VolumesInfoSize];
110 | Buffer.BlockCopy(rawBytes, VolumesInfoOffset, volumeInfoBytes, 0, VolumesInfoSize);
111 |
112 | VolumeInformation = new List();
113 |
114 | var volBytes = new byte[104];
115 | for (var j = 0; j < VolumeCount; j++)
116 | {
117 | var skipSize = j*104;
118 | Buffer.BlockCopy(volumeInfoBytes, skipSize, volBytes, 0, 104);
119 |
120 | var volDevOffset = BitConverter.ToInt32(volBytes, 0);
121 | var volDevNumChar = BitConverter.ToInt32(volBytes, 4);
122 |
123 | var ct = BitConverter.ToInt64(volBytes, 8);
124 |
125 | var devNameBytes = new byte[volDevNumChar * 2];
126 | Buffer.BlockCopy(rawBytes, VolumesInfoOffset + volDevOffset, devNameBytes, 0, volDevNumChar * 2);
127 | var devName = Encoding.Unicode.GetString(devNameBytes);
128 |
129 | var sn = BitConverter.ToInt32(volBytes, 16).ToString("X");
130 |
131 | VolumeInformation.Add(new VolumeInfo(volDevOffset, DateTimeOffset.FromFileTime(ct).ToUniversalTime(), sn, devName));
132 |
133 | var fileRefOffset = BitConverter.ToInt32(volBytes, 20);
134 | var fileRefSize = BitConverter.ToInt32(volBytes, 24);
135 |
136 | var dirStringsOffset = BitConverter.ToInt32(volBytes, 28);
137 | var numDirectoryStrings = BitConverter.ToInt32(volBytes, 32);
138 |
139 | //filerefs are at VolumesInfoOffset + fileRefOffset
140 | var fileRefsIndex = VolumesInfoOffset + fileRefOffset;
141 | var fileRefBytes = new byte[fileRefSize];
142 | Buffer.BlockCopy(rawBytes, fileRefsIndex, fileRefBytes, 0, fileRefSize);
143 |
144 | var fileRefVer = BitConverter.ToInt32(fileRefBytes, 0);
145 | var numFileRefs = BitConverter.ToInt32(fileRefBytes, 4);
146 |
147 | tempIndex = 8;
148 |
149 | var tempFileRefBytes = new byte[8];
150 | while (tempIndex < fileRefBytes.Length && VolumeInformation.Last().FileReferences.Count < numFileRefs)
151 | {
152 | Buffer.BlockCopy(fileRefBytes, tempIndex, tempFileRefBytes, 0, 8);
153 | VolumeInformation.Last()
154 | .FileReferences.Add(new MFTInformation(tempFileRefBytes));
155 | tempIndex += 8;
156 | }
157 |
158 | var dirStringsIndex = VolumesInfoOffset + dirStringsOffset;
159 | var dirStringsBytes = new byte[rawBytes.Length - dirStringsIndex];
160 | Buffer.BlockCopy(rawBytes, dirStringsIndex, dirStringsBytes, 0, rawBytes.Length - dirStringsIndex);
161 |
162 | tempIndex = 0;
163 | for (var k = 0; k < numDirectoryStrings; k++)
164 | {
165 | var dirCharCount = BitConverter.ToInt16(dirStringsBytes, tempIndex)*2 + 2;
166 | // double the count since its Unicode and add 2 extra for null char
167 | tempIndex += 2;
168 | var dirName = Encoding.Unicode.GetString(dirStringsBytes, tempIndex, dirCharCount).Trim('\0');
169 | VolumeInformation.Last().DirectoryNames.Add(dirName);
170 |
171 | tempIndex += dirCharCount;
172 | }
173 | }
174 | }
175 | catch (Exception ex)
176 | {
177 | Log.Error(ex,"Error processing {File}. Message: {Message}",sourceFilename,ex.Message);
178 | ParsingError = true;
179 | }
180 |
181 | }
182 |
183 |
184 | public byte[] RawBytes { get; }
185 |
186 | public string SourceFilename { get; }
187 | public DateTimeOffset SourceCreatedOn { get; }
188 | public DateTimeOffset SourceModifiedOn { get; }
189 | public DateTimeOffset SourceAccessedOn { get; }
190 | public Header Header { get; }
191 |
192 | public int FileMetricsOffset { get; }
193 | public int FileMetricsCount { get; }
194 | public int TraceChainsOffset { get; }
195 | public int TraceChainsCount { get; }
196 | public int FilenameStringsOffset { get; }
197 | public int FilenameStringsSize { get; }
198 | public int VolumesInfoOffset { get; }
199 | public int VolumeCount { get; }
200 | public int VolumesInfoSize { get; }
201 | public int TotalDirectoryCount { get; }
202 | public List LastRunTimes { get; }
203 | public List VolumeInformation { get; }
204 | public int RunCount { get; }
205 | public List Filenames { get; }
206 | public bool ParsingError { get; }
207 | public List FileMetrics { get; }
208 | public List TraceChains { get; }
209 | }
--------------------------------------------------------------------------------
/Prefetch/Versions/Version26.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.IO;
4 | using System.Linq;
5 | using System.Text;
6 | using Prefetch.Other;
7 | using Serilog;
8 |
9 | namespace Prefetch.Versions;
10 |
11 | public class Version26 : IPrefetch
12 | {
13 | public Version26(byte[] rawBytes, string sourceFilename)
14 | {
15 | SourceFilename = sourceFilename;
16 |
17 | RawBytes = rawBytes;
18 |
19 | try
20 | {
21 |
22 | var headerBytes = new byte[84];
23 | Buffer.BlockCopy(rawBytes, 0, headerBytes, 0, 84);
24 |
25 | Header = new Header(headerBytes);
26 |
27 | try
28 | {
29 | var fi = new FileInfo(sourceFilename);
30 | SourceCreatedOn = new DateTimeOffset(fi.CreationTimeUtc);
31 | SourceModifiedOn = new DateTimeOffset(fi.LastWriteTimeUtc);
32 | SourceAccessedOn = new DateTimeOffset(fi.LastAccessTimeUtc);
33 | }
34 | catch (Exception )
35 | {
36 |
37 | }
38 |
39 | //TODO factor out creation of File info blocks
40 | var fileInfoBytes = new byte[224];
41 | Buffer.BlockCopy(rawBytes, 84, fileInfoBytes, 0, 224);
42 |
43 | FileMetricsOffset = BitConverter.ToInt32(fileInfoBytes, 0);
44 | FileMetricsCount = BitConverter.ToInt32(fileInfoBytes, 4);
45 |
46 | TraceChainsOffset = BitConverter.ToInt32(fileInfoBytes, 8);
47 | TraceChainsCount = BitConverter.ToInt32(fileInfoBytes, 12);
48 |
49 | FilenameStringsOffset = BitConverter.ToInt32(fileInfoBytes, 16);
50 | FilenameStringsSize = BitConverter.ToInt32(fileInfoBytes, 20);
51 |
52 | VolumesInfoOffset = BitConverter.ToInt32(fileInfoBytes, 24);
53 | VolumeCount = BitConverter.ToInt32(fileInfoBytes, 28);
54 |
55 | VolumesInfoSize = BitConverter.ToInt32(fileInfoBytes, 32);
56 |
57 | //at offset 36 there are 8 unknown values, seemingly empty
58 | TotalDirectoryCount = BitConverter.ToInt32(fileInfoBytes, 36);
59 |
60 | var runtimeBytes = fileInfoBytes.Skip(44).Take(64).ToArray();
61 |
62 | LastRunTimes = new List();
63 |
64 | for (var i = 0; i < 8; i++)
65 | {
66 | var rawTime = BitConverter.ToInt64(runtimeBytes, i*8);
67 |
68 | if (rawTime > 0)
69 | {
70 | LastRunTimes.Add(DateTimeOffset.FromFileTime(rawTime).ToUniversalTime());
71 | }
72 | }
73 |
74 | //at offset 108 there are 16 bytes of unknown, possibly previous data from runtimes
75 |
76 | RunCount = BitConverter.ToInt32(fileInfoBytes, 124);
77 |
78 | var unknown0 = BitConverter.ToInt32(fileInfoBytes, 128);
79 | var unknown1 = BitConverter.ToInt32(fileInfoBytes, 132);
80 | //at offset 136 there is 88 bytes of unknown, empty values
81 | var unknown2 = BitConverter.ToInt32(fileInfoBytes, 128);
82 |
83 | var fileMetricsBytes = new byte[FileMetricsCount * 32];
84 | Buffer.BlockCopy(rawBytes, FileMetricsOffset, fileMetricsBytes, 0, FileMetricsCount * 32);
85 | var tempIndex = 0;
86 |
87 | FileMetrics = new List();
88 |
89 | var fileMetricsTempBuffer = new byte[32];
90 | while (tempIndex < fileMetricsBytes.Length)
91 | {
92 | Buffer.BlockCopy(fileMetricsBytes, tempIndex, fileMetricsTempBuffer, 0, 32);
93 | FileMetrics.Add(new FileMetric(fileMetricsTempBuffer, false));
94 | tempIndex += 32;
95 | }
96 |
97 | TraceChains = new List();
98 |
99 | var traceChainBytes = new byte[12 * TraceChainsCount];
100 | Buffer.BlockCopy(rawBytes, TraceChainsOffset, traceChainBytes, 0, 12 * TraceChainsCount);
101 | var traceIndex = 0;
102 | var traceChainTempBuffer = new byte[12];
103 | while (traceIndex < traceChainBytes.Length)
104 | {
105 | Buffer.BlockCopy(traceChainBytes, traceIndex, traceChainTempBuffer, 0, 12);
106 | TraceChains.Add(new TraceChain(traceChainTempBuffer, false));
107 | traceIndex += 12;
108 | }
109 |
110 | var filenameStringsBytes = new byte[FilenameStringsSize];
111 | Buffer.BlockCopy(rawBytes, FilenameStringsOffset, filenameStringsBytes, 0, FilenameStringsSize);
112 |
113 | var filenamesRaw = Encoding.Unicode.GetString(filenameStringsBytes);
114 | var fileNames = filenamesRaw.Split(new[] {'\0'}, StringSplitOptions.RemoveEmptyEntries);
115 |
116 | Filenames = new List();
117 |
118 | Filenames.AddRange(fileNames);
119 |
120 | var volumeInfoBytes = new byte[VolumesInfoSize];
121 | Buffer.BlockCopy(rawBytes, VolumesInfoOffset, volumeInfoBytes, 0, VolumesInfoSize);
122 |
123 | VolumeInformation = new List();
124 |
125 | var volBytes = new byte[104];
126 | for (var j = 0; j < VolumeCount; j++)
127 | {
128 | var skipSize = j*104;
129 | Buffer.BlockCopy(volumeInfoBytes, skipSize, volBytes, 0, 104);
130 |
131 | var volDevOffset = BitConverter.ToInt32(volBytes, 0);
132 | var volDevNumChar = BitConverter.ToInt32(volBytes, 4);
133 |
134 | var ct = BitConverter.ToInt64(volBytes, 8);
135 |
136 | var devNameBytes = new byte[volDevNumChar * 2];
137 | Buffer.BlockCopy(rawBytes, VolumesInfoOffset + volDevOffset, devNameBytes, 0, volDevNumChar * 2);
138 | var devName = Encoding.Unicode.GetString(devNameBytes);
139 |
140 | var sn = BitConverter.ToInt32(volBytes, 16).ToString("X");
141 |
142 | VolumeInformation.Add(new VolumeInfo(volDevOffset, DateTimeOffset.FromFileTime(ct).ToUniversalTime(), sn, devName));
143 |
144 | var fileRefOffset = BitConverter.ToInt32(volBytes, 20);
145 | var fileRefSize = BitConverter.ToInt32(volBytes, 24);
146 |
147 | var dirStringsOffset = BitConverter.ToInt32(volBytes, 28);
148 | var numDirectoryStrings = BitConverter.ToInt32(volBytes, 32);
149 |
150 | //filerefs are at VolumesInfoOffset + fileRefOffset
151 | var fileRefsIndex = VolumesInfoOffset + fileRefOffset;
152 | var fileRefBytes = new byte[fileRefSize];
153 | Buffer.BlockCopy(rawBytes, fileRefsIndex, fileRefBytes, 0, fileRefSize);
154 |
155 | var fileRefVer = BitConverter.ToInt32(fileRefBytes, 0);
156 | var numFileRefs = BitConverter.ToInt32(fileRefBytes, 4);
157 |
158 | tempIndex = 8;
159 |
160 | var tempFileRefBytes = new byte[8];
161 | while (tempIndex < fileRefBytes.Length && VolumeInformation.Last().FileReferences.Count < numFileRefs)
162 | {
163 | Buffer.BlockCopy(fileRefBytes, tempIndex, tempFileRefBytes, 0, 8);
164 | VolumeInformation.Last()
165 | .FileReferences.Add(new MFTInformation(tempFileRefBytes));
166 | tempIndex += 8;
167 | }
168 |
169 | var dirStringsIndex = VolumesInfoOffset + dirStringsOffset;
170 | var dirStringsBytes = new byte[rawBytes.Length - dirStringsIndex];
171 | Buffer.BlockCopy(rawBytes, dirStringsIndex, dirStringsBytes, 0, rawBytes.Length - dirStringsIndex);
172 |
173 | tempIndex = 0;
174 | for (var k = 0; k < numDirectoryStrings; k++)
175 | {
176 | var dirCharCount = BitConverter.ToInt16(dirStringsBytes, tempIndex)*2 + 2;
177 | // double the count since its Unicode and add 2 extra for null char
178 | tempIndex += 2;
179 | var dirName = Encoding.Unicode.GetString(dirStringsBytes, tempIndex, dirCharCount).Trim('\0');
180 | VolumeInformation.Last().DirectoryNames.Add(dirName);
181 |
182 | tempIndex += dirCharCount;
183 | }
184 | }
185 | }
186 | catch (Exception ex)
187 | {
188 | Log.Error(ex,"Error processing {File}. Message: {Message}",sourceFilename,ex.Message);
189 | ParsingError = true;
190 | }
191 |
192 | }
193 |
194 |
195 | public byte[] RawBytes { get; }
196 |
197 | public string SourceFilename { get; }
198 | public DateTimeOffset SourceCreatedOn { get; }
199 | public DateTimeOffset SourceModifiedOn { get; }
200 | public DateTimeOffset SourceAccessedOn { get; }
201 | public Header Header { get; }
202 |
203 | public int FileMetricsOffset { get; }
204 | public int FileMetricsCount { get; }
205 | public int TraceChainsOffset { get; }
206 | public int TraceChainsCount { get; }
207 | public int FilenameStringsOffset { get; }
208 | public int FilenameStringsSize { get; }
209 | public int VolumesInfoOffset { get; }
210 | public int VolumeCount { get; }
211 | public int VolumesInfoSize { get; }
212 | public int TotalDirectoryCount { get; }
213 | public List LastRunTimes { get; }
214 | public List VolumeInformation { get; }
215 | public int RunCount { get; }
216 | public List Filenames { get; }
217 | public bool ParsingError { get; }
218 | public List FileMetrics { get; }
219 | public List TraceChains { get; }
220 | }
--------------------------------------------------------------------------------
/Prefetch/Versions/Version30or31.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.IO;
4 | using System.Linq;
5 | using System.Text;
6 | using Prefetch.Other;
7 | using Serilog;
8 |
9 | namespace Prefetch.Versions;
10 |
11 | public class Version30or31 : IPrefetch
12 | {
13 | public Version30or31(byte[] rawBytes, string sourceFilename)
14 | {
15 | SourceFilename = sourceFilename;
16 |
17 | RawBytes = rawBytes;
18 |
19 | try
20 | {
21 | var headerBytes = new byte[84];
22 | Buffer.BlockCopy(rawBytes, 0, headerBytes, 0, 84);
23 |
24 | Header = new Header(headerBytes);
25 |
26 | try
27 | {
28 | var fi = new FileInfo(sourceFilename);
29 | SourceCreatedOn = new DateTimeOffset(fi.CreationTimeUtc);
30 | SourceModifiedOn = new DateTimeOffset(fi.LastWriteTimeUtc);
31 | SourceAccessedOn = new DateTimeOffset(fi.LastAccessTimeUtc);
32 | }
33 | catch (Exception )
34 | {
35 |
36 | }
37 |
38 | //TODO factor out creation of File info blocks
39 | var fileInfoBytes = new byte[224];
40 | Buffer.BlockCopy(rawBytes, 84, fileInfoBytes, 0, 224);
41 |
42 | FileMetricsOffset = BitConverter.ToInt32(fileInfoBytes, 0);
43 | FileMetricsCount = BitConverter.ToInt32(fileInfoBytes, 4);
44 |
45 | TraceChainsOffset = BitConverter.ToInt32(fileInfoBytes, 8);
46 | TraceChainsCount = BitConverter.ToInt32(fileInfoBytes, 12);
47 |
48 | FilenameStringsOffset = BitConverter.ToInt32(fileInfoBytes, 16);
49 | FilenameStringsSize = BitConverter.ToInt32(fileInfoBytes, 20);
50 |
51 | VolumesInfoOffset = BitConverter.ToInt32(fileInfoBytes, 24);
52 | VolumeCount = BitConverter.ToInt32(fileInfoBytes, 28);
53 |
54 | VolumesInfoSize = BitConverter.ToInt32(fileInfoBytes, 32);
55 |
56 | //at offset 36 there are 8 unknown values, seemingly empty
57 | TotalDirectoryCount = BitConverter.ToInt32(fileInfoBytes, 36);
58 |
59 | var runtimeBytes = new byte[64];
60 | Buffer.BlockCopy(fileInfoBytes, 44, runtimeBytes, 0, 64);
61 | //var runtimeBytes = fileInfoBytes.Skip(44).Take(64).ToArray();
62 |
63 | LastRunTimes = new List();
64 |
65 | for (var i = 0; i < 8; i++)
66 | {
67 | var rawTime = BitConverter.ToInt64(runtimeBytes, i*8);
68 |
69 | if (rawTime > 0)
70 | {
71 | LastRunTimes.Add(DateTimeOffset.FromFileTime(rawTime).ToUniversalTime());
72 | }
73 | }
74 |
75 | //at offset 108 there are 16 bytes of unknown, possibly previous data from runtimes
76 |
77 | RunCount = BitConverter.ToInt32(fileInfoBytes, 124);
78 |
79 | var runcountPre = BitConverter.ToInt32(fileInfoBytes, 124 - 4);
80 |
81 | if (runcountPre == 0)
82 | {
83 | //old format
84 | }
85 | else
86 | {
87 | RunCount = BitConverter.ToInt32(fileInfoBytes, 124 - 8); //newer versions of windows 10 shift the counter backward 8 bytes
88 | }
89 |
90 | var unknown0 = BitConverter.ToInt32(fileInfoBytes, 128);
91 | var unknown1 = BitConverter.ToInt32(fileInfoBytes, 132);
92 | //at offset 136 there is 88 bytes of unknown, empty values
93 | var unknown2 = BitConverter.ToInt32(fileInfoBytes, 128);
94 |
95 | var fileMetricsBytes = new byte[FileMetricsCount * 32];
96 | Buffer.BlockCopy(rawBytes, FileMetricsOffset, fileMetricsBytes,0, FileMetricsCount * 32);
97 | var tempIndex = 0;
98 |
99 | FileMetrics = new List();
100 |
101 | var fileMetricsTempBuffer = new byte[32];
102 | while (tempIndex < fileMetricsBytes.Length)
103 | {
104 | Buffer.BlockCopy(fileMetricsBytes, tempIndex, fileMetricsTempBuffer, 0, 32);
105 | FileMetrics.Add(new FileMetric(fileMetricsBytes, false));
106 | tempIndex += 32;
107 | }
108 |
109 | TraceChains = new List();
110 |
111 | var traceChainBytes = new byte[8 * TraceChainsCount];
112 | Buffer.BlockCopy(rawBytes, TraceChainsOffset, traceChainBytes, 0, 8 * TraceChainsCount);
113 | var traceIndex = 0;
114 | var traceChainTempBuffer = new byte[8];
115 | while (traceIndex < traceChainBytes.Length)
116 | {
117 | Buffer.BlockCopy(traceChainBytes, traceIndex, traceChainTempBuffer, 0, 8);
118 | TraceChains.Add(new TraceChain(traceChainTempBuffer, true));
119 | traceIndex += 8;
120 | }
121 |
122 | var filenameStringsBytes = new byte[FilenameStringsSize];
123 | Buffer.BlockCopy(rawBytes, FilenameStringsOffset, filenameStringsBytes, 0, FilenameStringsSize);
124 |
125 | var filenamesRaw = Encoding.Unicode.GetString(filenameStringsBytes);
126 | var fileNames = filenamesRaw.Split(new[] {'\0'}, StringSplitOptions.RemoveEmptyEntries);
127 |
128 | Filenames = new List();
129 |
130 | Filenames.AddRange(fileNames);
131 |
132 | var volumeInfoBytes = new byte[VolumesInfoSize];
133 | Buffer.BlockCopy(rawBytes, VolumesInfoOffset, volumeInfoBytes, 0, VolumesInfoSize);
134 |
135 | VolumeInformation = new List();
136 |
137 | //TODO factor this out as they are all the same?
138 | //TODO better yet, add in all the unique stuff so it can be researched
139 |
140 | var volBytes = new byte[96];
141 | for (var j = 0; j < VolumeCount; j++)
142 | {
143 | var skipSize = j*96;
144 | Buffer.BlockCopy(volumeInfoBytes, skipSize, volBytes, 0, 96);
145 |
146 | var volDevOffset = BitConverter.ToInt32(volBytes, 0);
147 | var volDevNumChar = BitConverter.ToInt32(volBytes, 4);
148 |
149 | var ct = BitConverter.ToInt64(volBytes, 8);
150 |
151 | var devNameBytes = new byte[volDevNumChar * 2];
152 | Buffer.BlockCopy(rawBytes, VolumesInfoOffset + volDevOffset, devNameBytes, 0, volDevNumChar * 2);
153 | var devName = Encoding.Unicode.GetString(devNameBytes);
154 |
155 | var sn = BitConverter.ToInt32(volBytes, 16).ToString("X");
156 |
157 | VolumeInformation.Add(new VolumeInfo(volDevOffset, DateTimeOffset.FromFileTime(ct).ToUniversalTime(), sn, devName));
158 |
159 | var fileRefOffset = BitConverter.ToInt32(volBytes, 20);
160 | var fileRefSize = BitConverter.ToInt32(volBytes, 24);
161 |
162 | var dirStringsOffset = BitConverter.ToInt32(volBytes, 28);
163 | var numDirectoryStrings = BitConverter.ToInt32(volBytes, 32);
164 |
165 | //filerefs are at VolumesInfoOffset + fileRefOffset
166 | var fileRefsIndex = VolumesInfoOffset + fileRefOffset;
167 | var fileRefBytes = new byte[fileRefSize];
168 | Buffer.BlockCopy(rawBytes, fileRefsIndex, fileRefBytes, 0, fileRefSize);
169 |
170 | var fileRefVer = BitConverter.ToInt32(fileRefBytes, 0);
171 | var numFileRefs = BitConverter.ToInt32(fileRefBytes, 4);
172 |
173 | tempIndex = 8;
174 |
175 | var tempFileRefBytes = new byte[8];
176 | while (tempIndex < fileRefBytes.Length && VolumeInformation.Last().FileReferences.Count < numFileRefs)
177 | {
178 | Buffer.BlockCopy(fileRefBytes, tempIndex, tempFileRefBytes, 0, 8);
179 | VolumeInformation.Last()
180 | .FileReferences.Add(new MFTInformation(tempFileRefBytes));
181 | tempIndex += 8;
182 | }
183 |
184 | var dirStringsIndex = VolumesInfoOffset + dirStringsOffset;
185 | var dirStringsBytes = new byte[rawBytes.Length - dirStringsIndex];
186 | Buffer.BlockCopy(rawBytes, dirStringsIndex, dirStringsBytes, 0, rawBytes.Length - dirStringsIndex);
187 |
188 | tempIndex = 0;
189 | for (var k = 0; k < numDirectoryStrings; k++)
190 | {
191 | var dirCharCount = BitConverter.ToInt16(dirStringsBytes, tempIndex)*2 + 2;
192 | // double the count since its Unicode and add 2 extra for null char
193 | tempIndex += 2;
194 | var dirName = Encoding.Unicode.GetString(dirStringsBytes, tempIndex, dirCharCount).Trim('\0');
195 | VolumeInformation.Last().DirectoryNames.Add(dirName);
196 |
197 | tempIndex += dirCharCount;
198 | }
199 | }
200 | }
201 | catch (Exception ex)
202 | {
203 | Log.Error(ex,"Error processing {File}. Message: {Message}",sourceFilename,ex.Message);
204 | ParsingError = true;
205 | }
206 | }
207 |
208 | public byte[] RawBytes { get; }
209 |
210 | public string SourceFilename { get; }
211 | public DateTimeOffset SourceCreatedOn { get; }
212 | public DateTimeOffset SourceModifiedOn { get; }
213 | public DateTimeOffset SourceAccessedOn { get; }
214 | public Header Header { get; }
215 |
216 | public int FileMetricsOffset { get; }
217 | public int FileMetricsCount { get; }
218 | public int TraceChainsOffset { get; }
219 | public int TraceChainsCount { get; }
220 | public int FilenameStringsOffset { get; }
221 | public int FilenameStringsSize { get; }
222 | public int VolumesInfoOffset { get; }
223 | public int VolumeCount { get; }
224 | public int VolumesInfoSize { get; }
225 | public int TotalDirectoryCount { get; }
226 | public List LastRunTimes { get; }
227 | public List VolumeInformation { get; }
228 | public int RunCount { get; }
229 | public bool ParsingError { get; }
230 |
231 |
232 | public List Filenames { get; }
233 | public List FileMetrics { get; }
234 | public List TraceChains { get; }
235 | }
--------------------------------------------------------------------------------
/Prefetch/XpressStream/Xpress2.cs:
--------------------------------------------------------------------------------
1 | using System.Runtime.InteropServices;
2 |
3 | namespace Prefetch.XpressStream;
4 |
5 | public static class Xpress2
6 | {
7 | // const ushort COMPRESSION_FORMAT_LZNT1 = 2;
8 | // const ushort COMPRESSION_FORMAT_XPRESS = 3;
9 | private const ushort CompressionFormatXpressHuff = 4;
10 |
11 | [DllImport("ntdll.dll")]
12 | private static extern uint RtlGetCompressionWorkSpaceSize(ushort compressionFormat,
13 | ref ulong compressBufferWorkSpaceSize, ref ulong compressFragmentWorkSpaceSize);
14 |
15 | [DllImport("ntdll.dll")]
16 | private static extern uint RtlDecompressBufferEx(ushort compressionFormat, byte[] uncompressedBuffer,
17 | int uncompressedBufferSize, byte[] compressedBuffer, int compressedBufferSize, ref int finalUncompressedSize,
18 | byte[] workSpace);
19 |
20 | public static byte[] Decompress(byte[] buffer, ulong decompressedSize)
21 | {
22 | // our uncompressed data will go here
23 | var outBuf = new byte[decompressedSize];
24 | ulong compressBufferWorkSpaceSize = 0;
25 | ulong compressFragmentWorkSpaceSize = 0;
26 |
27 | //get the size of what our workspace needs to be
28 | var ret = RtlGetCompressionWorkSpaceSize(CompressionFormatXpressHuff, ref compressBufferWorkSpaceSize,
29 | ref compressFragmentWorkSpaceSize);
30 | if (ret != 0)
31 | {
32 | return null;
33 | }
34 |
35 | var workSpace = new byte[compressFragmentWorkSpaceSize];
36 | var dstSize = 0;
37 |
38 | ret = RtlDecompressBufferEx(CompressionFormatXpressHuff, outBuf, outBuf.Length, buffer, buffer.Length,
39 | ref dstSize, workSpace);
40 | //if (ret == 0)
41 | // {
42 | return outBuf;
43 | // }
44 |
45 | //return null;
46 | }
47 | }
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Prefetch
2 | Windows Prefetch parser. Supports all known versions from Windows XP to Windows 10.
3 |
4 | You can get a command line tool that uses this libary here:
5 |
6 | https://github.com/EricZimmerman/PECmd
7 |
8 | #NOTE
9 | You need to run this code on at least Windows 8 in order for the decompression of Windows 10 prefetch files to work. I still have to some testing on failing gracefully if run on < Windows 8 if Windows 10 prefetch (version 30) files are found.
10 |
11 | # TODO
12 | - Split out Win8x into Win80 and Win81 for test cases
13 |
--------------------------------------------------------------------------------
/icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EricZimmerman/Prefetch/adf03db7a7c56accacc040304e0e5d2678abd659/icon.png
--------------------------------------------------------------------------------
/license:
--------------------------------------------------------------------------------
1 | The MIT License (MIT)
2 |
3 | Copyright (c) 2016 Eric
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------