Superfetch

Overview

Evidence: Superfetch Description: Collect Superfetch Files Category: System Platform: windows Short Name: sprf Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

SuperFetch (now called SysMain in Windows 10) is a Windows service that analyzes application usage patterns to optimize system performance by preloading frequently used applications into memory. The service maintains database files (Ag*.db) that track application usage patterns.

These database files can provide historical information about application execution and usage patterns.

Data Collected

This collector gathers structured data about superfetch.

Superfetch Data

Field

Description

Example

Name

Artifact name

SuperFetch

Type

File

SourcePath

Original file path

C:\Windows\Prefetch\AgAppLaunch.db

Path

Relative path in evidence

Other/AgAppLaunch.db

Collection Method

This collector collects SuperFetch files from:

Windows\Prefetch\Ag*.db
Windows\Prefetch\Ag*.db.trx (transaction files)

Forensic Value

SuperFetch databases can provide historical application usage information. Investigators use this data to track application execution patterns, identify frequently used applications, and analyze system performance characteristics.

PreviousSUPERAntiSpyware Logs NextSupremo Remote Desktop Logs

Last updated 3 days ago

Was this helpful?