I use the library to parse the prefetch files. https://github.com/EricZimmerman/Prefetch There was a problem with the output path to the file. For some reason, gives an unknown disk. The screenshot below shows my disks, and at the output, prefetch produces (example):
\VOLUME{01d3da29987eda86-8a98b829}\WINDOWS\SYSTEM32\AUDIODG.EXE
Example:
var pf = PrefetchFile.Open(@"C:\Windows\Prefetch\AUDIODG.EXE-5FB9CF9A.pf");
if (!String.IsNullOrWhiteSpace(pf.ToString()))
{
var sb = new StringBuilder();
string name = @pf.Header.ExecutableFilename.ToString();
string ext = Path.GetExtension(name);
var listpathes = pf.Filenames.Where(word => word.IndexOf(ext, StringComparison.InvariantCultureIgnoreCase) >= 0).ToList();
//var result = String.Join(", ", listpathes.ToArray());
FileInfo pfdate = new FileInfo(f.FullName);
string sourcefilename = pf.SourceFilename.ToString();
//sb.AppendLine(result + Environment.NewLine); //paths list to all related dll and others ??????????????
sb.AppendLine(listpathes[0] + Environment.NewLine); // path ????????????
sb.AppendLine(pfdate.LastWriteTime + Environment.NewLine); //last write date
sb.AppendLine(sourcefilename + Environment.NewLine); //name
sb.AppendLine(ext + Environment.NewLine); // *.exe
MessageBox.Show(sb.ToString());
}
Where does this volume id come from? Or how to get the real path to the file?
Hi i am the author of the Prefetch parser you are using.
It should be in mounted devices and mount points. It's the storage volume guid
the full path to the file executed is in the Files referenced collection.
dump a pf file with pecmd from the command line then look for the file entry in yellow
thats the full path