Superfetch

Overview

Evidence: Superfetch Description: Collect Superfetch Files Category: Other Evidence Platform: Windows Short Name: sprf Is Parsed: No - Raw database files Sent to Investigation Hub: Yes Collect File(s): No

Background

SuperFetch (now called SysMain in Windows 10) is a Windows service that analyzes application usage patterns to optimize system performance by preloading frequently used applications into memory. The service maintains database files (Ag*.db) that track application usage patterns.

These database files can provide historical information about application execution and usage patterns.

Data Collected

Field

Description

Example

Name

Artifact name

SuperFetch

Type

File

SourcePath

Original file path

C:\Windows\Prefetch\AgAppLaunch.db

Path

Relative path in evidence

Other/AgAppLaunch.db

Collection Method

This collector collects SuperFetch files from:

Windows\Prefetch\Ag*.db
Windows\Prefetch\Ag*.db.trx (transaction files)

Usage

SuperFetch databases can provide historical application usage information. Investigators use this data to track application execution patterns, identify frequently used applications, and analyze system performance characteristics.

Known Limitations

Database format is proprietary and undocumented
Limited parsing tools available
May not be present if SuperFetch is disabled
Database structure may vary by Windows version

Notes

SuperFetch databases are located in the Prefetch folder alongside .pf files but serve a different purpose. The .db files track longer-term usage patterns while .pf files track individual execution instances.

PreviousStartup Items NextSwap File

Last updated 51 minutes ago

Was this helpful?