Here is a quick and dirty program to parse a prefetch file and output some important information. It is only a command line program currently and does not use a database or scan the prefetch directory (I know I am slacking and that would be some good improvements to make and pretty easy). What it will do is parse the prefetch file giving you the standard information that other programs have given ie: embedded date, number of time run and executable name plus a list of directories and files that are/have been loaded. The program can be found here.
To run the program just type
prefetch_info.exe < directory/prefetch file name >.
Here is an example of the output for the following prefetch file AID4MAIL.EXE-1EE932F2.pf. Now one thing to note is where the AID4MAIL.EXE program was run from, kinda cool to see it did not run from the hard drive of my laptop but a usb thumb drive.
You can also see what song I was listening to when I ran the AID4MAIL program as well (you can search for that one).
As always Questions/Comments/Thoughts?
File Name that was run AID4MAIL.EXE
Date/Time prefetch file was created Thu Feb 28 02:16:21 2008
Date/Time prefetch file was modified Thu Feb 28 02:16:21 2008
Date/Time prefetch file was last accessed Thu Feb 28 02:16:21 2008
File AID4MAIL.EXE was run 1 times
AID4MAIL.EXE Embeded date/time is Thu Feb 28 02:16:11 2008
List of files and Directories whose pages are to be loaded
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTDLL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNEL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\UNICODE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\LOCALE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SORTTBLS.NLS
\DEVICE\HARDDISK3\DP(1)0-0+8\AID4MAIL\AID4MAIL.EXE
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USER32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\GDI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IMM32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ADVAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RPCRT4.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\LPK.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USP10.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSVCRT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CTYPE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\AMINIT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SORTKEY.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\TEMP\AEXAM\AEXFD.TMP
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\OLEAUT32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\OLE32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MPR.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\VERSION.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_659
5B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\COMCTL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SHLWAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINDOWSSHELL.MANIFEST
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINSPOOL.DRV
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SHELL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\COMDLG32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINMM.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ENTAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\PSAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETAPI32.DLL
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NETWOR
K ASSOCIATES\BOPDATA\_DATE-20080227_TIME-171047859_ENTERCEPTEXCEPTIONS.DAT
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NETWOR
K ASSOCIATES\BOPDATA\_DATE-20080227_TIME-171047859_ENTERCEPTRULES.DAT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\UXTHEME.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSCTFIME.IME
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RPCSS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WDMAUD.DRV
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SETUPAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINTRUST.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CRYPT32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSASN1.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IMAGEHLP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSACM32.DRV
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSACM32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MIDIMAP.DLL
\DEVICE\HARDDISKVOLUME2\$MFT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\APPHELP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CLBCATQ.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\COMRES.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\REGISTRATION\R000000000013.CLB
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\TORTOISESVN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WININET.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\LIBAPR_TSVN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2_32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2HELP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSWSOCK.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8
.0.50727.762_X-WW_6B128700\MSVCR80.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\LIBAPRUTIL_TSVN.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\LIBAPRICONV_TSVN.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\INTL3_SVN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8
.0.50727.762_X-WW_6B128700\MSVCP80.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SHFOLDER.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\ICONV\WINDOWS-1252.SO
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\ICONV\_TBL_SIMPLE.SO
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\ICONV\UTF-8.SO
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CSCUI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CSCDLL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RICHED32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RICHED20.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WIN.INI
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USERENV.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DRPROV.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTLANMAN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETUI0.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETUI1.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETRAP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SAMLIB.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DAVCLNT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTSHRUI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ATL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WPDSHEXT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144C
CF1DF_1.0.2600.2180_X-WW_522F9F82\GDIPLUS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\PORTABLEDEVICEAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\AUDIODEV.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WMVCORE.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WMASF.DLL
\DEVICE\HARDDISKVOLUME2\MARK\ITUNES\EMINEM\CURTAIN CALL - THE HITS (EDITED VERSI
ON)\SHAKE THAT (EDITED VERSION).M4A
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSIMTF.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SECUR32.DLL
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\Mark\LOCAL SETTINGS\TEMPORARY INT
ERNET FILES\CONTENT.IE5\INDEX.DAT
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\Mark\COOKIES\INDEX.DAT
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\Mark\LOCAL SETTINGS\HISTORY\HISTO
RY.IE5\INDEX.DAT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASMAN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\TAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RTUTILS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSV1_0.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IPHLPAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SENSAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSCTF.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\URLMON.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MLANG.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WSOCK32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\HNETCFG.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WSHTCPIP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DNSAPI.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\BONJOUR\MDNSNSP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASADHLP.DLL
Wednesday, February 27, 2008
Prefetch Information
NoteCase For Those Case Notes and Outlines
While I was surfing for something to create a task type list I came across this software NoteCase note manager. It can be found here. Here is there brief description from there site:
NoteCase is a hierarchical note manager (aka. outliner). It helps you organize your everyday text notes into a single document, with individual notes placed in the tree-like structure (each note can have its sub-notes, ...). To ensure your privacy, encrypted document format is supported, along with standard unencrypted format. Project is free and open source.
After choosing which version to download (I went with the Windows portable version so I can take it with me) and installing it I started to play around with it. Now this is a pretty cool open source project. What it allows you to do is to create a outline (series of expandable nodes) and add text, pictures, links and attachments to each node. You can add a date time entry and also cross out entries as you create them. If saving your file encrypted is an option you want you can do that also. You can even export into html, text and even an executable. If you want to use another language other then English you have your choice of 33 other languages. I blogged last year about TiddlyWiki and how it was nice to have something to carry with you to take notes and so forth and I would rate this product right up there with TiddlyWiki, especially since it does so many languages (looking at where you readers are I can see where the other languages would come in handy).
Thoughts/comments/questions?
Addendum, Feb 28. 2008
I forgot to mention that NoteCase is available for all these platforms:
Linux/Unix (with GTK+ 2.x installed)
Windows 9x/2000/XP/Vista
Mac OS X
Free BSD (available elsewhere on Internet)
Sharp Zaurus platform (running pdaxrom or angstrom Linux distro)
Nokia Maemo platform (Nokia N770/N800)
Nokia Maemo OS2008 platform (Nokia N800/N810)