👋

I've been testing alongside @puffyCid's commits and providing feedback via Slack.

A few usability items I encountered which others might wish to weigh in on.

Currently the table takes on average 300+ seconds to return when running a SELECT * FROM prefetch, I presume the bulk of the performance impact is the processing of the files_accessed column. On my test Windows laptop my prefetch files have numerous entries with files_accessed containing 500+ comma separated items, with a highest value of 2029 files.

For this reason, I am wondering if we want to instead to pursue one of the following paths:

1. Parse files_accessed column only when it is included in the SELECT statement, either via making it a hidden column so it is not included in SELECT *'s, or simply skipping that aspect of the parsing only when a SELECT statement is written to not include it (eg. SELECT path, filename, last_execution_time FROM prefetch).
2. Split the table and make a separate discrete prefetch_files_accessed table which the rest of the existing prefetch can be joined against. This would have the added benefit of letting us return the files_accessed data in a standard tabular format vs a very large comma separated list. However, I expect it would be less performant than retrieving in a single table (as it is done currently).

The other consideration which perhaps someone can comment on is I observe a stark difference in response time between this osquery table and some other Prefetch tools (namely WinPrefetchView from NirSoft which parses all prefetch near instantly). When I run osquery in verbose mode I can see the prefetch files being parsed in a serial fashion, I wonder if there is some way to parallelize parsing when more than one prefetch file is being parsed (I know nothing about what limitations might make this impossible or unfeasible).

Otherwise, I am really pleased with how this is progressing and I am excited to put this new table to work in various places!

👋

I've been testing alongside @puffyCid's commits and providing feedback via Slack.

A few usability items I encountered which others might wish to weigh in on.

Currently the table takes on average 300+ seconds to return when running a SELECT * FROM prefetch, I presume the bulk of the performance impact is the processing of the files_accessed column. On my test Windows laptop my prefetch files have numerous entries with files_accessed containing 500+ comma separated items, with a highest value of 2029 files.

For this reason, I am wondering if we want to instead to pursue one of the following paths:

1. Parse files_accessed column only when it is included in the SELECT statement, either via making it a hidden column so it is not included in SELECT *'s, or simply skipping that aspect of the parsing only when a SELECT statement is written to not include it (eg. SELECT path, filename, last_execution_time FROM prefetch).
2. Split the table and make a separate discrete prefetch_files_accessed table which the rest of the existing prefetch can be joined against. This would have the added benefit of letting us return the files_accessed data in a standard tabular format vs a very large comma separated list. However, I expect it would be less performant than retrieving in a single table (as it is done currently).

The other consideration which perhaps someone can comment on is I observe a stark difference in response time between this osquery table and some other Prefetch tools (namely WinPrefetchView from NirSoft which parses all prefetch near instantly). When I run osquery in verbose mode I can see the prefetch files being parsed in a serial fashion, I wonder if there is some way to parallelize parsing when more than one prefetch file is being parsed (I know nothing about what limitations might make this impossible or unfeasible).

Otherwise, I am really pleased with how this is progressing and I am excited to put this new table to work in various places!

just to follow up on this/awareness, during my testing on 4 different VMs the prefetch parsing finished in about ~20-25 seconds. ~200 files, with files_accessed column containing 100+ entries to a highest of 2,001.
I compared it to zimmerman's Prefetch parsing tool PEcmd which parsed all the files in about ~15-20 seconds.
Im curious if others also get longer times?
Regardless, 300 seconds is way too long, if thats a concern i can make the files_accessed and directories_accessed hidden if that will help?

Ok @puffyCid, do you mind running git pull and rebuilding with the changes I pushed? Let me know if the table is working as intended.

I think we should still investigate the decompression note I left (about not making a copy). And we should double check the runtime module loading behavior. I want to make sure we are consistent with how other places within osquery find and load modules at runtime.

Here is some sample code I wrote today that demonstrates using the structures based off of the documentation in the libscca project that you linked. Here I am showing file names in the header, file names in the info, and directories in the first volume (you can plop this in a console c++ project in visual studio) for both compressed and uncompressed prefetch. My main aim is more maintainable code, less code, and speed. Basically, if another developer has to revisit this code a year down the road, you want to help them as much as possible by removing complexity. This is in C but of course, you can easily transform it to C++. This code expects a file (see szFileName) under .\pf_samples.

#include <windows.h>
#include <stdio.h>

#define gle GetLastError

#ifndef STATUS_SUCCESS
#define STATUS_SUCCESS 0
#endif

#define PREFETCH_SIGNATURE_COMPRESSED '\x04MAM' // MAM\0x4
#define PREFETCH_SIGNATURE 'ACCS' // SCCA

typedef NTSTATUS(WINAPI * RTLDECOMPRESSBUFFEREX)(
    USHORT CompressionFormat,
    PUCHAR UncompressedBuffer,
    ULONG  UncompressedBufferSize,
    PUCHAR CompressedBuffer,
    ULONG  CompressedBufferSize,
    PULONG FinalUncompressedSize,
    PVOID  WorkSpace
    );

typedef NTSTATUS(WINAPI * RTLGETCOMPRESSIONWORKSPACESIZE)(
    USHORT CompressionFormatAndEngine,
    PULONG CompressBufferWorkSpaceSize,
    PULONG CompressFragmentWorkSpaceSize
    );

RTLDECOMPRESSBUFFEREX RtlDecompressBufferEx;
RTLGETCOMPRESSIONWORKSPACESIZE RtlGetCompressionWorkSpaceSize;


#pragma pack(push, 1)
typedef struct _PREFETCH_COMPRESSED_HEADER
{
    DWORD Signature;
    DWORD TotalUncompressedSize;
    BYTE CompressedData[1]; // arbitrary size
} PREFETCH_COMPRESSED_HEADER, * PPREFETCH_COMPRESSED_HEADER;

typedef struct _PREFETCH_FILE_HEADER
{
    DWORD Version;
    DWORD Signature;
    DWORD Reserved1;
    DWORD FileSize;
    WCHAR FileName[30];
    DWORD Hash;
    DWORD Reserved2;
} PREFETCH_FILE_HEADER, * PPREFETCH_FILE_HEADER;

typedef struct _PREFETCH_FILE_INFORMATION
{
    DWORD FileMetricsArrayOffset;
    DWORD NumberOfMetricEntries;
    DWORD TraceChainsArrayOffset;
    DWORD NumberOfTraceChains;
    DWORD FileNameStringsOffset;
    DWORD FileNameStringsSize;          
    DWORD VolumeInformationOffset;
    DWORD NumberOfVolumes;
    DWORD VolumesInformationSize;   // don't care after this field...
    FILETIME LastRunTime;
    DWORD Reserved1[4];
    DWORD RunCount;
    DWORD Reserved2;
} PREFETCH_FILE_INFORMATION, * PPREFETCH_FILE_INFORMATION;

typedef struct _PREFETCH_VOLUME_INFORMATION
{
    DWORD VolumePathOffset;
    DWORD VolumeDevicePathNumberOfCharacters;
    FILETIME VolumeCreationTime;
    DWORD VolumeSerialNumber;
    DWORD FileReferencesOffset;
    DWORD FileReferencesDataSize;
    DWORD DirectoryStringsOffset;
    DWORD NumberOfDirectoryStrings; // don't care after this field...
    DWORD Reserved1;
} PREFETCH_VOLUME_INFORMATION, * PPREFETCH_VOLUME_INFORMATION;

typedef struct _DIRECTORY_STRING
{
    USHORT Size;
    WCHAR Directory[1];
} DIRECTORY_STRING, * PDIRECTORY_STRING;

#pragma pack(pop)

const wchar_t szFileName[] = L".\\pf_samples\\CALC.EXE-77FDF17F.pf";
//const wchar_t szFileName[] = L".\\pf_samples\\ACRORD32.EXE-41B0A0C7.pf";

BOOL DecompressLZxpress(PBYTE pCompressedData,
                        const DWORD CompressedSize,
                        PUCHAR pUncompressedResult,
                        const DWORD TotalUncompressedSize)
{
    BOOL result = FALSE;
    DWORD FinalUncompressedSize;
    PVOID pFragment;

    ULONG CompressBufferWorkSpaceSize;
    ULONG CompressFragmentWorkSpaceSize;
    NTSTATUS status = RtlGetCompressionWorkSpaceSize(COMPRESSION_FORMAT_XPRESS_HUFF,
                                                     &CompressBufferWorkSpaceSize,
                                                     &CompressFragmentWorkSpaceSize);
    if (STATUS_SUCCESS == status)
    {
        pFragment = malloc(CompressFragmentWorkSpaceSize);
        if (NULL != pFragment)
        {

            status = RtlDecompressBufferEx(COMPRESSION_FORMAT_XPRESS_HUFF,
                                           pUncompressedResult,
                                           TotalUncompressedSize,
                                           pCompressedData,
                                           CompressedSize,
                                           &FinalUncompressedSize,
                                           pFragment);
            if (STATUS_SUCCESS == status)
            {
                result = TRUE;
            }

            free(pFragment);
        }
    }

    return result;
}

VOID ParseUncompressedPrefetch(PUCHAR pucUncompressedPrefetch, DWORD dwSize)
{
    PPREFETCH_FILE_HEADER pPrefetchFile = (PPREFETCH_FILE_HEADER)pucUncompressedPrefetch;

    if (PREFETCH_SIGNATURE == pPrefetchFile->Signature)
    {
        printf("File name: %ls\n", pPrefetchFile->FileName);
        printf("Prefetch version: %d\n", pPrefetchFile->Version);
        printf("Hash: %x\n", pPrefetchFile->Hash);

        PPREFETCH_FILE_INFORMATION pFileInfo = (PPREFETCH_FILE_INFORMATION)(pucUncompressedPrefetch + sizeof(PREFETCH_FILE_HEADER));

        if (pFileInfo->FileNameStringsSize > 0)
        {
            PWCHAR pFileNameString = (PWCHAR)(pucUncompressedPrefetch + pFileInfo->FileNameStringsOffset);
            while (*pFileNameString)
            {
                size_t len = wcslen(pFileNameString);
                printf("File Name: %ls\n", pFileNameString);
                pFileNameString += len + 1;
            }

        }


        if (pFileInfo->VolumesInformationSize > 0)
        {
            PPREFETCH_VOLUME_INFORMATION pVolumeInfo = (PPREFETCH_VOLUME_INFORMATION)(pucUncompressedPrefetch + pFileInfo->VolumeInformationOffset);
            if (NULL != pVolumeInfo)
            {
                if (pVolumeInfo->NumberOfDirectoryStrings > 0)
                {
                    PDIRECTORY_STRING pDirectoryString = (PDIRECTORY_STRING)((PUCHAR)pVolumeInfo + pVolumeInfo->DirectoryStringsOffset);
                    while (pDirectoryString->Size > 0)
                    {
                        printf("%ls\n", pDirectoryString->Directory);
                        pDirectoryString = (PDIRECTORY_STRING)(pDirectoryString->Directory + pDirectoryString->Size + 1);
                    }
                }
            }
        }
    }


}


DWORD ParsePrefetch(LPCWSTR pszFileName)
{
    DWORD le = NOERROR;
    HANDLE handle = CreateFile(pszFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

    if (INVALID_HANDLE_VALUE != handle)
    {
        DWORD FileSize = GetFileSize(handle, NULL);
        if (FileSize > 0)
        {
            PBYTE pFileData = (PBYTE)malloc(FileSize);
            PUCHAR pUncompressedResult;
            if (NULL != pFileData)
            {
                DWORD AmountRead;
                if (ReadFile(handle, pFileData, FileSize, &AmountRead, NULL) && FileSize == AmountRead)
                {
                    PPREFETCH_COMPRESSED_HEADER pCompressed = (PPREFETCH_COMPRESSED_HEADER)pFileData;
                    if (PREFETCH_SIGNATURE_COMPRESSED == pCompressed->Signature)
                    {
                        pUncompressedResult = (PUCHAR)malloc(pCompressed->TotalUncompressedSize);
                        if (NULL != pUncompressedResult)
                        {
                            if (DecompressLZxpress(pCompressed->CompressedData,
                                                   FileSize - FIELD_OFFSET(PREFETCH_COMPRESSED_HEADER, CompressedData),
                                                   pUncompressedResult, pCompressed->TotalUncompressedSize))
                            {
                                ParseUncompressedPrefetch(pUncompressedResult, pCompressed->TotalUncompressedSize);
                            }

                            free(pUncompressedResult);
                        }
                        else
                        {
                            le = ERROR_OUTOFMEMORY;
                        }

                    }
                    else
                    {
                        pUncompressedResult = pFileData;
                        ParseUncompressedPrefetch(pUncompressedResult, AmountRead);
                    }
                }
                else
                {
                    le = gle();
                }

                free(pFileData);
            }
            else
            {
                le = ERROR_OUTOFMEMORY;
            }
        }
        else
        {
            le = gle();
        }

        CloseHandle(handle);
    }
    else
    {
        le = gle();
    }

    return le;
}

int main()
{
    int result = NOERROR;
    RtlDecompressBufferEx = (RTLDECOMPRESSBUFFEREX)GetProcAddress(GetModuleHandle(L"NTDLL"), "RtlDecompressBufferEx");
    RtlGetCompressionWorkSpaceSize = (RTLGETCOMPRESSIONWORKSPACESIZE)GetProcAddress(GetModuleHandle(L"NTDLL"), "RtlGetCompressionWorkSpaceSize");

    if (RtlDecompressBufferEx && RtlGetCompressionWorkSpaceSize)
    {
        result = ParsePrefetch(szFileName);
    }
    else
    {
        result = ERROR_NOT_FOUND;
    }

    return 0;
}

Ok @puffyCid, do you mind running git pull and rebuilding with the changes I pushed? Let me know if the table is working as intended.

I think we should still investigate the decompression note I left (about not making a copy). And we should double check the runtime module loading behavior. I want to make sure we are consistent with how other places within osquery find and load modules at runtime.

@theopolis thanks for the feedback and updates. The table is working as intended.
I based the runtime module loading behavior off of windows_security_center.cpp

Here is some sample code I wrote today that demonstrates using the structures based off of the documentation in the libscca project that you linked. Here I am showing file names in the header, file names in the info, and directories in the first volume (you can plop this in a console c++ project in visual studio) for both compressed and uncompressed prefetch. My main aim is more maintainable code, less code, and speed. Basically, if another developer has to revisit this code a year down the road, you want to help them as much as possible by removing complexity. This is in C but of course, you can easily transform it to C++. This code expects a file (see szFileName) under .\pf_samples.

Thanks for the feedback and example, though i think ur overestimating my C translation skills a little bit lol 😅
I think the recent updates should have addressed all the comments?
I am working on another PR/feature though (adding jumplist support to windows) and im using ur suggestions of trying/using structs to manipulate/copy the data for that table

I understand that the lift I am asking for is substantial, but this lift significantly improves the readability and maintainability of this code for folks who may need to update this code in the future. Consider that your code will likely run on tens of thousands of machines.

1. ucharToString isn't appropriate here as I mentioned before as these are UTF-16 WCHARs (two-bytes per character) and NULL-terminated. Looking at the libscca documentation, there is a case of WCHAR[30], there is a case of WCHAR strings that are NULL separated, and there's a case of structures each with a length prefix followed by a WCHAR string.

2. The code has number offsets, e.g., data_view.substr(16, 60), data_view[12], data[100], data[108], etc. A developer who is not aware of libscca documentation will not know what fields each are and will not know how to update this code. Using structures with documented fields helps future developers grasp the code they are updating and speeds up maintenance.

I agree that the structure-based approach is best. Consider the example of me trying to improve performance. I was unsure if my changes effected correctness due to the fragility of having offsets.

I can port some of existing implementation to use the structures.

^ I did a small amount of porting to using the structures. I will revisit later tonight and see how much farther I can get.

This seems safer and is maintaining the performance of the existing approach.

^ I did a small amount of porting to using the structures. I will revisit later tonight and see how much farther I can get.

This seems safer and is maintaining the performance of the existing approach.

ok, thanks.
i can assist with rewriting it to use structs as well, not sure though if you already started on other parts though

Ok folks, the porting should be finished. Please review.

@puffyCid I made some changes to the table spec. The most significant change is removing the multi-execution recording. I am not sure if we should include this information, my feeling is we can stick with only including a single last-run-time. Please push back on me if you feel otherwise.

Ok folks, the porting should be finished. Please review.

@puffyCid I made some changes to the table spec. The most significant change is removing the multi-execution recording. I am not sure if we should include this information, my feeling is we can stick with only including a single last-run-time. Please push back on me if you feel otherwise.

@theopolis thanks for porting this! and @farfella thanks for the suggestions!
i think the multi-execution timestamps would be useful to have. They could provide additional timestamps to pivot on when investigating a system. For example, if rclone.exe (or any executable) was executed multiple times the previous timestamps could provide additional ways to pivot to see if other activity occurred (ex: additional files created, more event logs to query, etc).
Also for all of my PRs ive been following zimmermans development ethos/advice of: "It is not up to a developer to decide what is relevant to include or exclude." (to a certain extent).
So i think in this case since it would good to include, especially since timestamps r incredibly valuable.

Hey @puffyCid do you mind taking this PR back over? I won't have much time to make changes this week.