You are here

"True" portability vs Windows Prefetch?

20 posts / 0 new
Last post
cde
Offline
Last seen: 7 years 6 months ago
Joined: 2005-12-12 10:07
"True" portability vs Windows Prefetch?

I'm on a Mac at the moment, so I can't test this myself, but it just occurred to me...

As far as I know, every .exe launched in WinXP (and later) will result in a corresponding entry in the WINDOWS\Prefetch folder. This file will certainly indicate the date & time the .exe was active, and presumably has some encoded information regarding the .exe itself - its location on disk, and which disk, is probably stored but may not be readily legible to the human eye.

My point is this: Many people here go to great lengths to point out that some apps (notably TrueCrypt) are not "Truly portable", because they leave some traces. Also people seem keen to have security-related apps, sometimes including unerase tools, secure deletion tools and apps to clean up traces of their activity on the host PC.

So, we can assume that at least one person here is concerned that their activity should be totally private. If portable apps leave behind a .pf file, surely the owner of a host PC (if suspicious or concerned) could quickly check and say "hey, you ran Eraser, TrueCrypt and Restoration on my machine when you said you were just checking mail and banking online".

Sure, the reply could be "yes, I keep my banking data encrypted and wanted safely wipe my cookies, and, er, unerase my, er, something", but still this trace could be "incriminating" in the eyes of Portable users who like to vanish without a trace.

Would it be feasible for a Portable App launcher to remove just the relevant PF files before removing the USB device, perhaps backing up and restoring pre-existent files so that nothing appears changed? Could be interesting...

Ryan McCue
Ryan McCue's picture
Offline
Last seen: 14 years 7 months ago
Joined: 2006-01-06 21:27
Well,

as far as I know, the .pf files are deleted without a trace after closing unless you launch with /Prefetch:1
----
R McCue

"If you're not part of the solution, you're part of the precipitate."

wsm23
Offline
Last seen: 12 years 3 months ago
Joined: 2006-01-09 22:05
Not true.

I just checked my WINDOWS/Prefetch files and I have .pf files in there from Portable Apps that I have run up to 2 weeks old.

Life is about the journey not the destination!

The Kazoo Spartan

John T. Haller
John T. Haller's picture
Offline
Last seen: 2 hours 4 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
About a month

The prefetch folder is cleaned automatically... I think once files haven't been used for a month they are deleted.

Sometimes, the impossible can become possible, if you're awesome!

stacoma
Offline
Last seen: 17 years 7 months ago
Joined: 2006-01-12 00:40
Try "IE Privacy Keeper TakeAlong Version"

You might want to try "IE Privacy Keeper TakeAlong Version" ... it has a setting under "System" that cleans out the Prefetch folder.

This program does lots of stuff to clean up tracks in IE, Firefox, and in Windows.

John T. Haller
John T. Haller's picture
Offline
Last seen: 2 hours 4 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Admin only

Cleaning up .pf files requires admin privs, so it won't really help.

Sometimes, the impossible can become possible, if you're awesome!

stacoma
Offline
Last seen: 17 years 7 months ago
Joined: 2006-01-12 00:40
I have run IEPK on a PC

I have run IEPK on a PC without admin rights and I received no warning message about not being authorized to clean the Prefetch folder, but I have never checked the folder on that PC either. Now for a dumb question :-| ... what's the fastest way to know what level of rights you have on a PC?

Some people say cleaning the Prefetch folder is supposed to help performance but I don't think that is true and is probably the opposite...it would just be good from a privacy standpoint, no?

John T. Haller
John T. Haller's picture
Offline
Last seen: 2 hours 4 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
No benefit

There's no benefit to deleting the files in prefetch from a performance perspective. Windows discards them when they are unused automatically. Clearing it giving a benefit is one of those odd snake oil tales floating around. And anyone that tells you to add /Prefetch:1 to all your shortcuts doesn't know what they're talking about either.

You may be able to delete your own files from there within a limited acct. (Maybe I was thinking guest acct) Offhand, I can't think of a solid way to handle this on an individual app basis. Unless someone can decipher the numeric strings at the end. You could backup/restore the whole directory on start/end of your whole session, though. It would take a few seconds (I got 5MB in mine right now) but it should probably work.

Sometimes, the impossible can become possible, if you're awesome!

John T. Haller
John T. Haller's picture
Offline
Last seen: 2 hours 4 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Yes and No

You could have the app launchers cleanup prefetch. It'll fail if you don't have admin privs, though. And the /Prefetch:1 command isn't a windows command... it just does some stuff for specific MS apps internally... so it isn't of use outside. All portable apps have this issue... whether run from a removable drive or a CDR or a U3 device.

Sometimes, the impossible can become possible, if you're awesome!

Bruce Pascoe
Offline
Last seen: 12 years 4 months ago
Joined: 2006-01-15 16:14
...

Actually, the /prefetch switch is a low-level thing. Windows passes it along to the application, yes, but it's interpreted by the OS first.

This is exactly what it does (quoting from edbott.com):
The /prefetch:# flag is looked at by the OS when we create the process--however, it has one (and only one) purpose. We add the passed number to the hash. Why? WMP is a multipurpose application and may do many different things. The DLLs and code that it touches will be very different when playing a WMV than when playing a DVD, or when ripping a CD, or when listening to a Shoutcast stream, or any of the other things that WMP can do. If we only had one hash for WMP, then the prefetch would only be correct for one such use. Having incorrect prefetch data would not be a fatal error — it’d just load pages into memory that’d never get used, and then get swapped back out to disk as soon as possible. Still, it’s counterproductive. By specifying a /prefetch:# flag with a different number for each “mode” that WMP can do, each mode gets its own separate hash file, and thus we properly prefetch.

Because /prefetch gets passed through to the program, however, it can actually crash some poorly-written applications that aren't expecting it.

-
fatcerberus@yahoo.com  [aim: fatcerberus]
I have no witty remarks or quotes to share at the moment.

cde
Offline
Last seen: 7 years 6 months ago
Joined: 2005-12-12 10:07
Possible solution?

John, your comment about /prefetch:1 made me think - adding

/prefetch:0

via a shortcut or batch file should disable prefetching for an app "just this once". Now I'm not sure if prefetch-slash-anything will work for non-admins, I assume it should, and I don't know if this would affect, say, the existing Firefox .pf file (even if :0 deletes the file, that would be minimal "evidence" of activity).

To clarify a little, it seems the prefetch folder empties out the longest-unused entry when it contains 100 (200? I forget) files and encounters a new app.

So provisionally, would it not be possible to integrate an anti-prefetch line into launchers, to aim autorun.inf files at a shortcut or batch file with anti-prefetch measures in place, and essentially hack every Portable App start process in an attempt to leave no trace?

John T. Haller
John T. Haller's picture
Offline
Last seen: 2 hours 4 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
No

The /Prefetch: is NOT a Windows switch. It's all an old wives tale (or a young geek's tale). /Prefetch is only used by Windows Media Player internally. It has absolutely no effect on any of the portable apps. Any website that tells you to add /Prefetch to a shortcut doesn't know what they're talking about.

Sometimes, the impossible can become possible, if you're awesome!

Ashes for Tears
Offline
Last seen: 16 years 7 months ago
Joined: 2006-01-11 08:41
as for permission info...

UserRights 1.01 from Max2K.com. You will have to wrap the reg entries though.

stacoma
Offline
Last seen: 17 years 7 months ago
Joined: 2006-01-12 00:40
Thanks

Thanks for the program link AFT...
"'Wrap' the reg entries" ? You mean clean the registry of evidence of the program being run? Smile

Ashes for Tears
Offline
Last seen: 16 years 7 months ago
Joined: 2006-01-11 08:41
Not quite...

No, not of being run, just settings and system changes (i.e., the adding of registry entries), but without all the work. Wink Duece's Registry Rapper should work real well in a pinch. If you have a few more minutes to spare, though, I would recommend his QuickPort NSIS Template; you'll end up with a customized, shiny new launcher for the prog. Smile

cde
Offline
Last seen: 7 years 6 months ago
Joined: 2005-12-12 10:07
fair enough

I had no idea the Prefetch myth had so little grounding! I knew it was not as described by all those sites that yell "Windows starts faster! Windows starts slower!" but to have grown into such a staple of home-grown "XP support" pages...?

Wow, people are dumb. And I bought a slice.

Bruce Pascoe
Offline
Last seen: 12 years 4 months ago
Joined: 2006-01-15 16:14
...

Also incorrect. /prefetch works for all applications (it is a Windows thing); most people just misunderstand its purpose. You can read my post above for specifics, but basically what it does is combine the passed number with the hash at the end of the .pf file's filename, so different program modes can have different .pf files. Windows Media Player seems to be the only program around that makes use of it, but that doesn't mean it's WMP-specific.

-
fatcerberus@yahoo.com  [aim: fatcerberus]
I have no witty remarks or quotes to share at the moment.

Ryan McCue
Ryan McCue's picture
Offline
Last seen: 14 years 7 months ago
Joined: 2006-01-06 21:27
Yep.

And APC said about it. Looks bad on their part Blum
----
R McCue

"If you're not part of the solution, you're part of the precipitate."

stacoma
Offline
Last seen: 17 years 7 months ago
Joined: 2006-01-12 00:40
Just a privacy issue

So cleaning out the Prefetch only offers privacy protection it seems. That's something IEPK can do if the computer you are on doesn't restrict it.

Ashes for Tears
Offline
Last seen: 16 years 7 months ago
Joined: 2006-01-11 08:41
So will this...

So will this, and a whole host of other things besides. Keep in mind, though, it's very likely the sys admin in charge of the machine you're on has restricted this kind of action.

DiskCleaner

------

  • Please search before you post
  • Post a link for requests
Topic locked