Prefetch-Hash-Cracker – A Small Util To Brute-Force Prefetch Hashes

The following fields must be provided:

Hash function


Mount point

There are 3 known prefetch hash functions:

Used in Windows XP

SCCA Vista
Used in Windows Vista and Windows 10

SCCA 2008
Used in Windows 7, Windows 8 and Windows 8.1

A bodyfile of the volume the executable was executed from.

The bodyfile format is not very restrictive, so there are a lot of variations of it – some of which are not supported. Body files created with fls and MFTECmd should work fine.

The mount point of the bodyfile, as underlined below:

The provided bodyfile is used to get the path of every folder on the volume. The tool appends the provided executable name to each of those paths to create a list of possible full paths for the executable. Each possible full path is then hashed using the provided hash function. If there’s a possible full path for which the result matches the provided hash, that path is outputted.

The following cases are not supported:

If the executable name is longer than 29 characters (including the extension), it will be truncated in the prefetch filename. For example, executing this file:

In this case, the executable name cannot be derived from the prefetch filename, so you will not be able to provide it to the tool.



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top