poorbillionaire / windows-prefetch-parser Goto Github PK

Hi,

The prefetch v30 present on Windows 10 use a LZXPRESS Huffman stream to compress the data like superfetch on Win7. Is it possible to include a python library which decompress this format instead of using windows API ?

Thanks

Currently, the sanity checks for Prefetch files are:

if file exists:
if file ends with ".pf":
if filesize > 0:
if first four bytes are a valid prefetch type:
parse the file

What I need to do is add better handling of invalid data. For the first time today I encountered a random Prefetch file which did not contain Prefetch data. Instead, it contained data related to A/V software running on the machine.

For the first time today I encountered some empty prefetch files. This breaks my script in pretty much every way, so I'll be working to correct this today.

Hello,
I just installed the windows prefetch parser and did everything like it is explained. But when I run the command I get a syntax error can somebody help me to solve this problem ?

The command that I ran is : prefetch.py -f CALC.EXE-3FBEF7FD.PF

the syntax error is at line 354
print "\n{0}\n{1}\n{0)\n".format(banner, ntpath.basename(self.pFilename))

Won't parse any of the given *.pf files.
Went over the source code several times. Picked up on a few bugs; but still no success.

Regards,
Frank

I'm running it in Cygwin.

When parsing the type 30 Volumes section, the Volume path is being incorrectly parsed, resulting in the following output:

==========
PING.EXE
==========

Run count: 2
Last executed: 2015-11-12 01:02:00.831256
Additional execution timestamp(s):
    2015-11-10 03:17:28.533234

Σ��∞Γ��╬Γ��PΓ��OLUME{01d11b57aa4f5b10-e8aabf9f}��[k╛�Σ�H∙�L:�TΓ��kΣ��┴ß��├ß��¿▌���Γ��
Volume serial number e8aabf9f

[ - ] 'module' object has no attribute 'windll'
[ - ] Windows 8+ required for this script to decompress Win10 Prefetch files

It would be nice to see this published to the python package server and make install-able by creating a setup.py file?