How to enable PreFetch in Windows Server

Yesterday I held a presentation on forensics and incident response at the TrueSec Security Summit.

One of the major challenges when responding to a breach is figuring out exactly what an attacker has done on a machine. Did they dump hashes? Install a backdoor? Pivot to another machine by spawning a shell using PsExec?

A great place to see which executables that have been run on a system is looking in the prefetch folder, and parsing the files within. While prefetch is a mechanism used to speed up system boot and/or application launch, the metadata contained in these files are a goldmine when trying to piece together a timeline and attack scenario.

However, since Windows Servers aren’t usually used interactively, Microsoft has made the decision to deactivate prefetch by default. It’s a sound decision, as any unnecessary services increase the attack surface, and theoretically have a performance impact. However, when a system is breached, it will be used interactively, and as we’re interested in figuring out exactly how it’s been used, we’d really love to enable this functionality.

In previous versions of Windows Server this was easily done by adding a registry key. In Windows Server 2012, you have to do a bit more. It’s not a complicated operation, but finding out how is a different matter…

So, in order to enable prefetch for applications on Windows Server 2012, simply do the following in an administrative PowerShell console:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnablePrefetcher /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher" /v MaxPrefetchFiles /t REG_DWORD /d 8192 /f

Enable-MMAgent –OperationAPI

net start sysmain

And there you have it. You don’t even have to reboot.

Tagged with: , ,
Posted in General
4 comments on “How to enable PreFetch in Windows Server
  1. Jocke says:

    Hi,

    Is there any other down side to activate PreFetch on servers, does it consume disk space for example?

    Like

    • Not really. The storage used is usually less than a megabyte, and never a lot more. It is an extra service running, and it’s always good to keep those to a minimum. In this case, however, I think it’s well worth it.

      Like

  2. Greg says:

    You showed a powershell command to save folder structure (on server) to a file. Could you please share it?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories
%d bloggers like this: