Fooling Windows through Superfetch

Conference:  BlackHat USA 2020



The presentation discusses the use of prefetch files in Windows operating systems for forensic analysis and how to fool the system by editing the files.
  • Prefetch files in Windows operating systems contain information about the user's habits and executed programs
  • The information in prefetch files can be edited using open source tools to fool the operating system
  • The presentation provides an example of how to edit a prefetch file and reintroduce it into the prefetch directory
  • The goal is to protect user privacy by fooling the operating system and preventing it from accessing personal information
The presenter explains how prefetch files can reveal personal information such as the names of directories, files, and even the content of text documents. They provide an example of how the tool they created can be used to edit the date of execution in a prefetch file to fool the operating system. By doing so, the system will not be able to access the correct information about the user's habits and executed programs.


Have you ever tried to hide your traces after doing some obscure stuff on a computer? We usually think about cleaning histories, file lefts, event viewer, DNS cache, and registry keys but have you ever thought about Superfetch?This is a Windows service whose purpose is to increase the speed of user's experience. Superfetch will analyze user's software use to prelaunch the process next time the user might need it. It also includes files used by the program such as text documents, photos, and movies. In concrete terms, the service tracks every activity on the OS and records traces into files with a ".pf " extension, called scenarios. Whenever Superfetch wants to predict which program might be launched, it will consult its prefetch files, computes probabilities and then tries to predict user decisions. This constitutes a forensic gold mine for any governmental service or any malicious person since it raises a very serious privacy issue.In this talk, we will dive into Superfetch architecture, explain its operating method, and debunk all the myths surrounding it. In addition, we will detail the format of its inner files which were undocumented or obsolete up until now and we will show how to fool the system by editing these files. To this end, we have built a tool that allows accessing and falsifying the data of the scenarios without Windows noticing. Afterwards, the system incorporates the falsified data and processes it as the original. Thanks to this trick, you will be able to hide traces of your activity, lie to forensic analysis, or even create false evidence on a computer. Your system believes it knows everything about you: time has come to regain power.