![rundll32 exe 451fc2c0 pf rundll32 exe 451fc2c0 pf](https://pbs.twimg.com/media/EbGkOPQX0AE5WFX.jpg)
For instance, executing the date/time Control Panel tool from the system tray, run-dialog box, command-prompt and by double-clicking on it in the Control Panel itself can all result in different command-lines, some of which differ only by case. Not only that but the prefetch hash is case-sensitive and the case-sensitivity of a command-line can vary depending on how it was invoked. It's important to understand that hosting apps such as RUNDL元2.EXE can be used for many different purposes and so the internal list of command-lines used by the script is not exhaustive. For instance, the RUNDLL.EXE hosting application may have been used to execute the Date and Time Control Panel tool so that the user could change the system clock or modify time-zone settings.
![rundll32 exe 451fc2c0 pf rundll32 exe 451fc2c0 pf](http://www.abload.de/img/asdfmozp.png)
This will often give the examiner an indication of the actions the user has taken to configure his/her system.
#RUNDLL32 EXE 451FC2C0 PF VERIFICATION#
Where hash verification is required for a hosting application the script will attempt to verify the hash using the command-line optionally provided by the examiner it will also use an internal list of common command-lines used to invoke Control Panel tool (cpl) files using RUNDL元2.EXE and Microsoft Management Console (msc) files using MMC.EXE. The option to verify the hash value for a prefetch file will always be enabled for non-hosting applications because it doesn't require any additional information and takes very little time.įor hosting applications the prefetch hash can only be verified by using the command-line that was used to start the application. The available options will depend on whether the prefetch file relates to a hosting application or not. Please note that there may be a slight pause while this list is generated.ĭouble-clicking on an item in the list will allow the examiner to modify the process options for that item. This list will show whether a prefetch file relates to a hosting application, whether the hash value should be verified and also, for a hosting application, what command-line should be used for the purpose of hash verification. Regardless of the option chosen, the script will only process those files with a '.pf' file extension and a prefetch file-signature.īefore processing starts, the script will perform a signature-based validation-check and then display a list of the files that will be processed. The script allows the examiner to process all entries, tagged entries or selected entries in the current view. Though it is not defined as a hosting application, this script will process it like one and check for the commonly used command-line parameters. In addition, SVCHOST.EXE is used with command-line parameters which will affect the hash stored in the filename. If the prefetch file refers to any other application then the hash is derived solely from the executable's device path. If the prefetch file refers to a designated 'hosting application' (an application such as MMC.EXE, DLLHOST.EXE or RUNDL元2.EXE, one that starts another process) then the hash is calculated using a hash of the executable's device path and also a hash of the command-line. If the name represents the boot process then the hash value should always be the same. This name will be followed by a hash value calculated in one of two ways. The majority of prefetch files have a file-name containing the name of the associated executable or a name representing the boot process (NTOSBOOT). Not only is the prefetch data used during system and application start-up, it is also used to optimize the disk defragmentation process. This allows the system to pre-load necessary data (from MFT records, files and folders) all in one go rather than keep returning to file system objects to read data from them again and again. Prefetch files monitor system activity during the period when the system boots and also when an application starts.
#RUNDLL32 EXE 451FC2C0 PF WINDOWS 10#
It's worth noting that Windows 10 prefetch files are compressed using the Xpress+Huffman compression algorithm. Windows XP to Windows 10 file formats are supported. This EnScript is designed to parse the prefetch files created by the MS Windows Task Scheduler service.