You are here

"True" portability vs Windows Prefetch?

12 posts / 0 new
Last post
cde
Offline
Last seen: 8 years 11 months ago
Joined: 2005-12-12 10:07
"True" portability vs Windows Prefetch?

I'm on a Mac at the moment, so I can't test this myself, but it just occurred to me...

As far as I know, every .exe launched in WinXP (and later) will result in a corresponding entry in the WINDOWS\Prefetch folder. This file will certainly indicate the date & time the .exe was active, and presumably has some encoded information regarding the .exe itself - its location on disk, and which disk, is probably stored but may not be readily legible to the human eye.

My point is this: Many people here go to great lengths to point out that some apps (notably TrueCrypt) are not "Truly portable", because they leave some traces. Also people seem keen to have security-related apps, sometimes including unerase tools, secure deletion tools and apps to clean up traces of their activity on the host PC.

So, we can assume that at least one person here is concerned that their activity should be totally private. If portable apps leave behind a .pf file, surely the owner of a host PC (if suspicious or concerned) could quickly check and say "hey, you ran Eraser, TrueCrypt and Restoration on my machine when you said you were just checking mail and banking online".

Sure, the reply could be "yes, I keep my banking data encrypted and wanted safely wipe my cookies, and, er, unerase my, er, something", but still this trace could be "incriminating" in the eyes of Portable users who like to vanish without a trace.

Would it be feasible for a Portable App launcher to remove just the relevant PF files before removing the USB device, perhaps backing up and restoring pre-existent files so that nothing appears changed? Could be interesting...

Ryan McCue
Ryan McCue's picture
Offline
Last seen: 16 years 3 weeks ago
Joined: 2006-01-06 21:27
Well,

as far as I know, the .pf files are deleted without a trace after closing unless you launch with /Prefetch:1
----
R McCue

"If you're not part of the solution, you're part of the precipitate."

wsm23
Offline
Last seen: 13 years 8 months ago
Joined: 2006-01-09 22:05
Not true.

I just checked my WINDOWS/Prefetch files and I have .pf files in there from Portable Apps that I have run up to 2 weeks old.

Life is about the journey not the destination!

The Kazoo Spartan

John T. Haller
John T. Haller's picture
Online
Last seen: 31 min 30 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
About a month

The prefetch folder is cleaned automatically... I think once files haven't been used for a month they are deleted.

Sometimes, the impossible can become possible, if you're awesome!

John T. Haller
John T. Haller's picture
Online
Last seen: 31 min 30 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Yes and No

You could have the app launchers cleanup prefetch. It'll fail if you don't have admin privs, though. And the /Prefetch:1 command isn't a windows command... it just does some stuff for specific MS apps internally... so it isn't of use outside. All portable apps have this issue... whether run from a removable drive or a CDR or a U3 device.

Sometimes, the impossible can become possible, if you're awesome!

Bruce Pascoe
Offline
Last seen: 13 years 9 months ago
Joined: 2006-01-15 16:14
...

Actually, the /prefetch switch is a low-level thing. Windows passes it along to the application, yes, but it's interpreted by the OS first.

This is exactly what it does (quoting from edbott.com):
The /prefetch:# flag is looked at by the OS when we create the process--however, it has one (and only one) purpose. We add the passed number to the hash. Why? WMP is a multipurpose application and may do many different things. The DLLs and code that it touches will be very different when playing a WMV than when playing a DVD, or when ripping a CD, or when listening to a Shoutcast stream, or any of the other things that WMP can do. If we only had one hash for WMP, then the prefetch would only be correct for one such use. Having incorrect prefetch data would not be a fatal error — it’d just load pages into memory that’d never get used, and then get swapped back out to disk as soon as possible. Still, it’s counterproductive. By specifying a /prefetch:# flag with a different number for each “mode” that WMP can do, each mode gets its own separate hash file, and thus we properly prefetch.

Because /prefetch gets passed through to the program, however, it can actually crash some poorly-written applications that aren't expecting it.

-
fatcerberus@yahoo.com  [aim: fatcerberus]
I have no witty remarks or quotes to share at the moment.

cde
Offline
Last seen: 8 years 11 months ago
Joined: 2005-12-12 10:07
Possible solution?

John, your comment about /prefetch:1 made me think - adding

/prefetch:0

via a shortcut or batch file should disable prefetching for an app "just this once". Now I'm not sure if prefetch-slash-anything will work for non-admins, I assume it should, and I don't know if this would affect, say, the existing Firefox .pf file (even if :0 deletes the file, that would be minimal "evidence" of activity).

To clarify a little, it seems the prefetch folder empties out the longest-unused entry when it contains 100 (200? I forget) files and encounters a new app.

So provisionally, would it not be possible to integrate an anti-prefetch line into launchers, to aim autorun.inf files at a shortcut or batch file with anti-prefetch measures in place, and essentially hack every Portable App start process in an attempt to leave no trace?

John T. Haller
John T. Haller's picture
Online
Last seen: 31 min 30 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
No

The /Prefetch: is NOT a Windows switch. It's all an old wives tale (or a young geek's tale). /Prefetch is only used by Windows Media Player internally. It has absolutely no effect on any of the portable apps. Any website that tells you to add /Prefetch to a shortcut doesn't know what they're talking about.

Sometimes, the impossible can become possible, if you're awesome!

Ashes for Tears
Offline
Last seen: 18 years 1 week ago
Joined: 2006-01-11 08:41
as for permission info...

UserRights 1.01 from Max2K.com. You will have to wrap the reg entries though.

cde
Offline
Last seen: 8 years 11 months ago
Joined: 2005-12-12 10:07
fair enough

I had no idea the Prefetch myth had so little grounding! I knew it was not as described by all those sites that yell "Windows starts faster! Windows starts slower!" but to have grown into such a staple of home-grown "XP support" pages...?

Wow, people are dumb. And I bought a slice.

Bruce Pascoe
Offline
Last seen: 13 years 9 months ago
Joined: 2006-01-15 16:14
...

Also incorrect. /prefetch works for all applications (it is a Windows thing); most people just misunderstand its purpose. You can read my post above for specifics, but basically what it does is combine the passed number with the hash at the end of the .pf file's filename, so different program modes can have different .pf files. Windows Media Player seems to be the only program around that makes use of it, but that doesn't mean it's WMP-specific.

-
fatcerberus@yahoo.com  [aim: fatcerberus]
I have no witty remarks or quotes to share at the moment.

Ryan McCue
Ryan McCue's picture
Offline
Last seen: 16 years 3 weeks ago
Joined: 2006-01-06 21:27
Yep.

And APC said about it. Looks bad on their part Blum
----
R McCue

"If you're not part of the solution, you're part of the precipitate."

Topic locked