The following fields must be provided:
There are 3 known prefetch hash functions:
Used in Windows XP
Used in Windows Vista and Windows 10
Used in Windows 7, Windows 8 and Windows 8.1
A bodyfile of the volume the executable was executed from.
The bodyfile format is not very restrictive, so there are a lot of variations of it – some of which are not supported. Body files created with
MFTECmd should work fine.
The mount point of the bodyfile, as underlined below:
The provided bodyfile is used to get the path of every folder on the volume. The tool appends the provided executable name to each of those paths to create a list of possible full paths for the executable. Each possible full path is then hashed using the provided hash function. If there’s a possible full path for which the result matches the provided hash, that path is outputted.
The following cases are not supported:
If the executable name is longer than 29 characters (including the extension), it will be truncated in the prefetch filename. For example, executing this file:
In this case, the executable name cannot be derived from the prefetch filename, so you will not be able to provide it to the tool.