Superfetch
Overview
Section titled “Overview”Evidence: Superfetch
Description: Collect Superfetch Files
Category: System
Platform: windows
Short Name: sprf
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”SuperFetch (now called SysMain in Windows 10) is a Windows service that analyzes application usage patterns to optimize system performance by preloading frequently used applications into memory. The service maintains database files (Ag*.db) that track application usage patterns.
These database files can provide historical information about application execution and usage patterns.
Data Collected
Section titled “Data Collected”This collector gathers structured data about superfetch.
Superfetch Data
Section titled “Superfetch Data”| Field | Description | Example |
|---|---|---|
Name | Artifact name | SuperFetch |
Type | File | File |
SourcePath | Original file path | C:\Windows\Prefetch\AgAppLaunch.db |
Path | Relative path in evidence | Other/AgAppLaunch.db |
Collection Method
Section titled “Collection Method”This collector collects SuperFetch files from:
Windows\Prefetch\Ag*.dbWindows\Prefetch\Ag*.db.trx(transaction files)
Forensic Value
Section titled “Forensic Value”SuperFetch databases can provide historical application usage information. Investigators use this data to track application execution patterns, identify frequently used applications, and analyze system performance characteristics.