craSH/windows_prefetch_paths.py

## windows_prefetch_paths.py
import struct

def get_file_paths(pf_file):
    """
    Given a path to a Windows Prefetch file, extract and return a list of all file
    paths that it contains (which will be prefetched)

    References:
    - http://en.wikipedia.org/wiki/Prefetcher
    - http://msdn.microsoft.com/en-us/magazine/cc302206.aspx
    - http://42llc.net/index.php?option=com_myblog&task=tag&category=Prefetch&Itemid=39
    """

    filepath_offset_pos = 0x64 # Offset to Block containing Filepaths (DWORD)
    filepath_length_pos = 0x68 # Length of Block containing Filepaths (DWORD)

    fh = None
    try:
        fh = open(pf_file,'rb')
        data = fh.read()
    except Exception, ex:
        print >>sys.stderr, "Oops, Failed to read file '%s' [Exception: %s]" % (pf_file, ex.strerror)
        sys.exit(1)
    finally:
        if fh:
            fh.close()

    filepath_offset = struct.unpack('<i', data[filepath_offset_pos:filepath_offset_pos + 4])[0]
    filepath_length = struct.unpack('<i', data[filepath_length_pos:filepath_length_pos + 4])[0]

    filepath_end = filepath_offset + filepath_length

    filepath_block = data[filepath_offset:filepath_end]
    filepath_block = unicode(filepath_block, 'utf-16-le')

    # This filter ensures we don't add any empty strings - the last string is always empty
    filepaths = filter(lambda s: s, filepath_block.split(u'\0'))

    return filepaths


if __name__ == '__main__':
    """
    Called with a Windows Prefetch file as the only argument, print all files that
    are referenced to by that file (which will be prefetched by Windows)
    """

    import sys

    pf_file = sys.argv[1]

    print >>sys.stderr, "Reading file paths for Prefetch file '%s':\n" % pf_file

    result_paths = get_file_paths(pf_file)

    # Print the data
    for filepath in result_paths:
        print "\t", filepath

    sys.exit(0)
	import struct

	def get_file_paths(pf_file):
	"""
	Given a path to a Windows Prefetch file, extract and return a list of all file
	paths that it contains (which will be prefetched)

	References:
	- http://en.wikipedia.org/wiki/Prefetcher
	- http://msdn.microsoft.com/en-us/magazine/cc302206.aspx
	- http://42llc.net/index.php?option=com_myblog&task=tag&category=Prefetch&Itemid=39
	"""

	filepath_offset_pos = 0x64 # Offset to Block containing Filepaths (DWORD)
	filepath_length_pos = 0x68 # Length of Block containing Filepaths (DWORD)

	fh = None
	try:
	fh = open(pf_file,'rb')
	data = fh.read()
	except Exception, ex:
	print >>sys.stderr, "Oops, Failed to read file '%s' [Exception: %s]" % (pf_file, ex.strerror)
	sys.exit(1)
	finally:
	if fh:
	fh.close()

	filepath_offset = struct.unpack('<i', data[filepath_offset_pos:filepath_offset_pos + 4])[0]
	filepath_length = struct.unpack('<i', data[filepath_length_pos:filepath_length_pos + 4])[0]

	filepath_end = filepath_offset + filepath_length

	filepath_block = data[filepath_offset:filepath_end]
	filepath_block = unicode(filepath_block, 'utf-16-le')

	# This filter ensures we don't add any empty strings - the last string is always empty
	filepaths = filter(lambda s: s, filepath_block.split(u'\0'))

	return filepaths


	if __name__ == '__main__':
	"""
	Called with a Windows Prefetch file as the only argument, print all files that
	are referenced to by that file (which will be prefetched by Windows)
	"""

	import sys

	pf_file = sys.argv[1]

	print >>sys.stderr, "Reading file paths for Prefetch file '%s':\n" % pf_file

	result_paths = get_file_paths(pf_file)

	# Print the data
	for filepath in result_paths:
	print "\t", filepath

	sys.exit(0)