Expand description
Pure-Rust, read-only Windows Prefetch (.pf) reader.
Windows 8.1/10/11 store prefetch compressed with a MAM (Xpress-Huffman)
wrapper; the decompressed payload is the classic SCCA structure. This crate
decodes both, cross-platform, with no Windows API dependency.
decompress— MAM wrapper → raw SCCA bytes (Xpress-Huffman via thexpress_huffmancrate).parse— full SCCA v30/31 →PrefetchInfo.
Structs§
- Prefetch
Info - The forensically-salient contents of a Windows prefetch file.
- Volume
Info - A volume referenced by a prefetch file’s
VolumeInformationblock.
Enums§
- Prefetch
Error - Errors decoding a prefetch file.
Constants§
- SCCA_
SIGNATURE - Decompressed SCCA payload signature. It sits at byte offset 4 — the SCCA
header is
[u32 version][b"SCCA"]…(version values: 17 XP, 23 Vista/7, 26 Win8.1, 30 Win10, 31 Win11). - SCCA_
SIGNATURE_ OFFSET - Byte offset of
SCCA_SIGNATUREwithin the decompressed payload.
Functions§
- decompress
- Decompress a (possibly MAM-wrapped) prefetch file into its raw
SCCAbytes. - parse
- Parse a prefetch file (
MAM-compressed or rawSCCA) intoPrefetchInfo. - parse_
decompressed - Parse an already-decompressed SCCA payload (version 30/31).