1

I use the library to parse the prefetch files. https://github.com/EricZimmerman/Prefetch There was a problem with the output path to the file. For some reason, gives an unknown disk. The screenshot below shows my disks, and at the output, prefetch produces (example):

\VOLUME{01d3da29987eda86-8a98b829}\WINDOWS\SYSTEM32\AUDIODG.EXE

cmd > mountvol

Example:

var pf = PrefetchFile.Open(@"C:\Windows\Prefetch\AUDIODG.EXE-5FB9CF9A.pf");
if (!String.IsNullOrWhiteSpace(pf.ToString()))
{
    var sb = new StringBuilder();
    string name = @pf.Header.ExecutableFilename.ToString();

    string ext = Path.GetExtension(name);
    var listpathes = pf.Filenames.Where(word => word.IndexOf(ext, StringComparison.InvariantCultureIgnoreCase) >= 0).ToList();
    //var result = String.Join(", ", listpathes.ToArray());

    FileInfo pfdate = new FileInfo(f.FullName);
    string sourcefilename = pf.SourceFilename.ToString();

    //sb.AppendLine(result + Environment.NewLine); //paths list to all related dll and others ??????????????
    sb.AppendLine(listpathes[0] + Environment.NewLine); // path ????????????
    sb.AppendLine(pfdate.LastWriteTime + Environment.NewLine); //last write date
    sb.AppendLine(sourcefilename + Environment.NewLine); //name
    sb.AppendLine(ext + Environment.NewLine); // *.exe

    MessageBox.Show(sb.ToString());
}

Where does this volume id come from? Or how to get the real path to the file?

Improve this question
3
  • First thing I would ask, is C:\Windows\Prefetch\AUDIODG.EXE-5FB9CF9A.pf a valid path. Then is it a directory or a file? Commented Feb 18, 2019 at 1:49
  • The path is valid, since works through the search engine. Here I pointed the file directly for an example and did not insert the search code. Commented Feb 18, 2019 at 9:55
  • The LastActivityView program most likely works in the same way. But how do they take the path to the file? Commented Feb 18, 2019 at 9:58

1 Answer 1

Reset to default
3

Hi i am the author of the Prefetch parser you are using.

It should be in mounted devices and mount points. It's the storage volume guid

the full path to the file executed is in the Files referenced collection.

dump a pf file with pecmd from the command line then look for the file entry in yellow

thats the full path

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

based on the directory shown, it should be obvious which drive letter it came from, but you can always dump details from the Registry to get what mountpoints[2] is showing
Hello, sorry for posting on such an old issue. I am really struggling with resolving those GUIDs because they are not actually GUIDs, but are much shorter (only 2 components). I have not been able to find any solution to programatically resolve them to any harddisks. The only insight I got is that the last component seems to be the serial number. Have you got further than I have?
as it turns out, its not a GUID. =) there are 2 parts, the left is the volume created time (stored as big endian if i recall). the second, as you saw, is the serial #. you can see how the created date works by dropping those hex characters in dcode or similar.
Thank you! I happened to figure out the first part in the meantime, though :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.