One more time: do not clean out your Prefetch folder!
Published June 1, 2005 by Ed Bott
Yet another Web site posted yet another “tip” today recommending that you clean out your Prefetch folder to improve performance of Windows. Arrrggghhh! I’ve written about this repeatedly (here and here and here, for instance), but the message doesn’t seem to be spreading very fast. Maybe this quote from “Misinformation and the Prefetch Flag” by Ryan Myers, a developer on Microsoft’s Windows Client Performance Team, will help:
XP systems have a Prefetch directory underneath the windows root directory, full of .pf files — these are lists of pages to load. The file names are generated from hashing the EXE to load — whenever you load the EXE, we hash, see if there’s a matching (exename)-(hash).pf file in the prefetch directory, and if so we load those pages. (If it doesn’t exist, we track what pages it loads, create that file, and pick a handful of them to save to it.) So, first off, it is a bad idea to periodically clean out that folder as some tech sites suggest. For one thing, XP will just re-create that data anyways; secondly, it trims the files anyways if there’s ever more than 128 of them so that it doesn’t needlessly consume space. So not only is deleting the directory totally unnecessary, but you’re also putting a temporary dent in your PC’s performance. [emphasis in original]
Bottom line: You will not improve Windows performance by cleaning out the Prefetch folder. You will, in fact, degrade Windows performance by cleaning out the Prefetch folder. I’ve done performance testing that establishes this definitively. In all the many sites that offer this bogus tip, I have yet to see a single piece of actual performance testing.
Oh, and for anyone who cites this TechRepublic article as a source, let me just say that it contains more serious factual errors than I can count. For instance:
As you boot your workstation or access programs on your workstation, XP’s prefetcher copies portions of those files to the Prefetch area of your hard drive.
That’s completely wrong. The files in the Prefetch folder contain lists of pages that that should be loaded when a program starts. Each file is essentially an index. Windows XP doesn’t copy portions of any files to the Prefetch folder.
When your workstation boots, XP prefetches portions of the files you use most frequently and has any application you’ve recently run waiting and ready to go.
This is equally absurd. If this were true, it would mean that Windows was actually loading into memory every program you’ve ever used, every time you start Windows. That’s not the way it works at all. When your PC starts up, Windows looks in the Prefetch folder to determine how best to load Windows. It doesn’t do a thing with the .pf files for applications (unless, of course, you’ve configured one of those apps to start up with Windows).
If you’re frequently using the same few applications over and over again, prefetching can greatly increase the apparent speed of a system. Rather than waiting for you to click an icon to start a program, and then loading all of the associated files, libraries, and pointers necessary to run the program, XP has all the components of your programs preloaded. When you click an icon to start the program, most of the hard work is already done.
The author just made this up. The .pf files don’t get used at all until you run a program. What actually happens when you click an icon is that Windows uses the information in the Prefetch folder to decide which program segments to load and in what order to load those pages. There’s plenty of documentation for this, including Ryan Myers’ article and this definitive article by Mark Russinovitch and David Solomon, Windows XP Kernel Improvements Create a More Robust, Powerful, and Scalable OS.
The drawback to prefetching is that XP will prefetch a program even if you use it only once or twice. XP will retain a copy of a portion of it in the Prefetch folder. From there, it will prefetch the program, taking resources from your workstation even though you may have no intention of ever using the program again.
Again, the author just pulled this out of who-knows-where. When you run a program, Windows creates a .pf file for it in the Prefetch folder. When you run the program again, Windows looks for this .pf file and uses it to determine how to load the program. The hash doesn’t contain any portion of the original program code. If you never run the program again, that .pf file never gets used, and in fact it gets deleted eventually.
I used to write for TechRepublic. I’ve tried to contact someone there to get them to correct this silly article but have yet to receive a response. It would be really, really great if some of the other sites that have propagated this urban legend would also correct it.
One more time: do not clean out your Prefetch folder!
The truth about prefetching. Clearing out your prefetch folder now and again does not improve performance….
Yet another great benefit of prefetch is that XP uses .pf files to create and update the layout.ini file. XP’s disk defragmenter then uses layout.ini to optimize the placing of certain boot and application files on the outside of your hard disk. It does this each time you run disk defragmenter manually and also automatically in the background no less often than every third day. This causes your computer to boot up and load applications faster.
The horrid Prefetch meme seems to get tossed out every 12-15 months. Thanks Ed, for continuing to cut this myth down every time it pops up.
Just curious about “edbott”. As you can see, my address starts with “ebott”, an abreviation of my name.
What is the story about “edbott”?
ed
The Point of clearing the predfetch folder is, that if you install new software and afterwards deinstall it, windows will still try to optimize the disk for the non-existing software. Of course, there is no point in flushing this folder daily, but after a month or two it IS quite useful and speeding up the system. On my test-system where I have to install many different software-packages, the boottime decreased from 20secs to only 7!
After a month or two, Windows automatically removes unused entries. So there’s no need to clean this folder.
You can delete it if you made big changes otherwise the layout.ini will have a lot of old data.
1. Delete all the files in the folder
2. Turn on the Task Schedule service to automatic and start it if it isn’t already.
3. Open a cmd window and type or paste this:
Rundll32.exe advapi32.dll,ProcessIdleTasks
4. The folder will be rebuilt with the current apps and drivers.
Also:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ Memory Management \ PrefetchParameters
dword value = EnablePrefetcher
0 = Disable,
1 = App launch prefetch
2 = Boot Prefetch
3 = Both (recommended)
My recommendation for the prefetcher is based on the amount of RAM that you have:
128MB - Disabled (reg value 0)
256MB - Boot only (reg value 1)
512MB or more - Both (reg value 3)
Superfetch, Prefetch, and Windows Performance
Last week, the Inquirer posted a letter in response to an article they wrote about Microsoft’s claims that the next version of Windows (codenamed Longhorn, officially named Vista - at least for now) would have better performance than Windows XP….
The quality of articles posted on Tech Republic has degraded over the last few years to the point that I only use them as an indicator of possible research I might need to do on subjects. As an original source for operating and networking information, verify anything you see on the site with a known trusted source before even wasting your time.
I liked this comment because there has been a lot of waffle about improving prefetch. Hwoever when I checked the Registry Dword value for my system I found it was set to 5, which is not mentioned, not the recommended 3
My system has P4 3.4Ghz with x10 large cache SATA disks boots in 1 minute to 1 minute ten seconds so it would seem PF is OK.
May be the PF value is set by the defragger PerfectDisk?
John
John, are you sure that you didn’t make this setting yourself at some time in the past, perhaps following advice on some “tweaking” site? I’ve seen this one a lot, but have seen zero credible documentation that it is supported, much less effective.
Yeah, I too agree about this hoax. The only thing I do regarding the Prefetch folder is that I delete those various “setup.exe-hash.pf” files, i.e. the ones from few of my programs that gets updated frequently and so I use a different executable with the same name each time, i.e. on each installation/updating. Then I also delete .pf files of various temporary processes’ files, although those are rarely created/run on my system. And finally I delete those orphaned .pf files from executables that I moved after the new .pf file was already created (with new file’s location), however, I know that OS would delete them by itself after time. I am just a “maintainance maniac”.
Then regarding what data that these files contain, I guess it’s quite obvious that they don’t “pre-load” anything (or whatever), they just contain a list of directories, OS-libraries that executable loads/maps/hooks on the execution (not sure which term is appropriate) and other non-OS libraries that are called or better dynamicly/delay-loaded during run-time by executable in question (I assume this because .pf files are created AFTER the respective process is closed and not ON or right after the execution) with regard to device, i.e. with regard to the hard-disk volume on which they reside, so it is only a some kind of map.
Few lines from AntiVir’s “AVGUARD.EXE-17927959.pf”:
AVGUARD.EXE
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTDLL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNEL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\UNICODE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\LOCALE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SORTTBLS.NLS
\DEVICE\HARDDISKVOLUME2\PROGRAMS\AVPERSONAL\AVGUARD.EXE
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2_32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSVCRT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2HELP.DLL
regards, Ivan Tadej
P.S., Sorry for my somehow much too long signature in the other comment (I did that totally by mistake, i.e. a copy/paste “fault”):
Ed Bott: Why I don’t use registry cleaners
http://www.edbott.com/weblog/archives/000643.html
Ed,
Thankyou for clearing this up. I was able to test this by simply using a stopwatch and found that the applications which had their associated .PF deleted took anywhere from 50-100% longer to startup.
One of the Utilities I recommend in my Optimize XP Guide
http://mywebpages.comcast.net/SupportCD/OptimizeXP.html
CCleaner has recently been suckered in by this myth and added “Old Prefetch Data” as a cleaning option. When run it simply deletes .PF files that are over 2 weeks old based on their creation date. You can clearly see how this will cripple all of your applications startup times.
I have tried in Vain to get them to change it but they simply will not listen and delete or lock any thread I start on the topic in their forums. They do not even allow anyone to explain how it works. I had no choice but to add a warning to my guide. Any assistance in this matter would be greatly appreciated!
http://www.ccleaner.com/
I do not use Prefetch, in fact I remove as much useless junk as I can from Windows using nLite anyway, so prefetch isn’t even possible to run on my system, the Task Scheduler was removed.
What I want to know is what spec are you guys running? You’re saying that your programs open slowly without prefetch? Then get a faster computer. Surely that’s the answer? I use a “comfortably” overclocked Athlon64 system with 1 GB of RAM @ 2-2-25 1T timings, and the program that takes the longest to open is Photoshop. It takes about 5 seconds. Not exactly a long time to wait, is it. Everything else opens as soon as I click it, pretty much. Firefox takes about 2 seconds. If I close it and reopen it later, it’s instant. Do I need prefetch? No way. It’s not worth leaving the Task Scheduler service running on Auto for.
When I first disabled Prefetch, my system booted MUCH faster. I have been disabling Prefetch since I was using my old Duron 1100 system in 2002. I didn’t need Prefetch then and I certainly don’t need it now. If you have a weak, old system, thenm maybe Prefetch is a good thing for you. On modern hardware, it’s less needed, so I disagree with your article because Prefetch depends on the system spec.
*2-2-2-5, not 2-2-25. Sorry.
Sorry to be posting multiple times, but I’d say if you want a fast XP, disabl as much Microsoft crap as possible. Disable all the silly fading effects, use a small, fixed pagefile, disable as many things as you can that are not needed. Use nLite to rebuild XP with the programs, drivers, and all the functionality that you need. Use Bold Fortune’s forum guides to strip XP of junk, optimize everything. My WINDOWS folder is ~ 300MB after following his guides = much less to defrag, much less to deal with. Using nLite, my last XP ISO was 125 MB after I stripped out what I don’t need. I still have all the functionality that I need personally. That’s fully service packed with SP2 streamlined and RyanVM’s Update Pack 1.3.1 which includes all the latest Windows updates. SP2 alone is 266MB. XP Pro without any service packs is 484MB. Again, my entire XP is 125 MB. That shows how much junk there is in this OS.
I have never seen anyone with a faster Windows XP Pro than mine, and I would like to apologize for blowing my own trumpet when I say that. People’s computers are generally treacle slow, and using my own highly-tweaked machine (done with a single, large registry file and various.vbs scripts to apply all tweaks at once) feels like heaven.
OK, I’ll shut up now.
Regards,
Dee (a/k/a ninjastyle on forums.amd.com, if you wanna discuss anything).
Dee, if I were to use a “small, fixed page file” as you recommend, several programs I rely on wouldn’t work (VMWare is one), and my system would slow down alarmingly when I put it under peak load.
Also, when I add up the milliseconds I might save by using your tweaks versus the hours it takes to implement them, plus the potential troubleshooting time if even a single thing goes wrong, I find the benefits not worth it.
My XP system is mostly stock, and it’s more than fast enough for me. I understand why hardcore gamers get obsessive about tweaking, because their needs are specialized, but for most people the urge to tweak usually causes more problems than it solves.
Dee,
It doesn’t matter how new your computer is, prefetching will improve application load times.
“When I first disabled Prefetch, my system booted MUCH faster.”
-I’m sorry but that is a lie. I work for a system OEM and have tested prefetching on all types of PCs and it always helps performance, period.
“done with a single, large registry file and various.vbs scripts to apply all tweaks at once)”
-These are very dangerous as they include alot of Mythical Tweaks: http://mywebpages.comcast.net/SupportCD/XPMyths.html
“Use Bold Fortune’s forum guides to strip XP of junk, optimize everything.”
-This is a really, really bad idea, that guy posts alot of bad information that is simple not accurate. You can start with his cleaning the prefetch folder advice.
Dee, I am with you on your quest for speed but understanding how something works is the first step to optimally tweaking your machine. Prefetching flat out works and should be enabled.
Well Dee…
1. First off, you said that: “It’s not worth leaving the Task Scheduler service running on Auto for.”
I am asking you why disabling the Task Scheduler service, if it consumes virtually no CPU cycles. It only does when it’s called into action, and that’s probably less that 1 % of CPU. Also, it runs in an always running process (”svchost.exe”, beside many other services), so there is no additonal process running if it’s left to run, i.e. not disabled.
This reminds me on the BlackViper’s Windows XP Services Guide and all the prattle about how “disabling services speeds-up computer enormously”, debunked often at ArsTechnica forums where I participate (btw. my nick is “shirker” there), i.e. it’s simple as that:
If a service is not being used, it will use no CPU time, while regarding the used memory; Windows will reclaim its memory as needed, so until then it effectively uses no memory either.
2. Secondly, you wrote that: “When I first disabled Prefetch, my system booted MUCH faster.”
I am asking you how come, if the Prefetch feature set to prefetch “Boot File launch” (value “3″ for “EnablePrefetcher” entry under “HKLM\…\PrefetchParameters” key) itself optimizes the boot procedure or at least parts of it (I guess it’s the “NTOSBOOT-hash.pf” file) ??
Do yo think that Microsoft would implement an option that supposedly does something, but in reality it does the opposite ??
regards, Ivan Tadej
This site is likely too advanced for this novice, but I got on it by trying to find how to access GoogleEarth after downloading it to my computer. When I finally found it, the usual “microsoft cannot access this file…” appeared, letting me know that GoogleEarth is in my prefetch file(something that I’d never heard of).
It turns out that it’s in there multiple times because each time that I couldn’t call it up I (foolishly) downloaded it again!
Any help out there for old luarc@msn.com?
Check this article out:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xpehelp/html/xetskDisablingPrefetch.asp
“EWF performance can be improved by disabling Prefetch. Prefetch is a utility that loads commonly used applications to RAM when the system starts. This can degrade EWF performance.”
It looks like even MSDN can get it wrong.
Andrew, that reference is for Windows XP Embedded, which is designed for low-resource environments. What applies in XP Embedded is different from the desktop OS!
Even though it is for XP Embedded, I actually think that MSDN article is wrong but I see your point.
Ed, what do you think of this: http://poptech.blogspot.com/2005/10/ccleaner-cripples-application-load.html
Any comments on CCleaner?
I’ve never used CCleaner, but the points in that thread make good sense.
Excellent article! I do have a related problem (yes I know this is not a forum.. but please help if you can)I use Ccleaner, so I checked to see if ‘old prefetch..’ was unchecked.. only to find it missing… and then to discover my prefetch folder is absent… I thought this was impossible.. so I checked the related registry entries.. only to find one missing(layout path),yet the rest all intact, so I replaced it & the prefetch folder.. and even rebuilt a ‘Layout.ini’… and compared all settings/ folders/ registry entries, against another identical XP Pro.. only to find no cure.. as in NO prefetching at all!!!
WAIT.. dont answer my last thread!!! … NIGHTCRAWLER…you are a diamond… your cmd did the job.. THANKYOU!!
Can the prefetch start an application?
Years ago I had to fight a virus on my daughter’s pc. (Not sure that we had XP then.)
I kept cleaning it out and it kept reinstalling on reboot.
The way I finally got rid of it was to shut down each process individually by name, using an AV site for the list, then running the AV, and using a script to empty the prefetch.
All of those steps finally allowed me to get rid of the virus completely by one last AV scan on the next reboot.
I knew I had cleaned out all the startup lists.
I had a theory that prefetch was activating the virus code before I could run the AV.
Possible the virus writer was using the prefetch?
Thanks.
I’ve had knowledgeable people swear to me that they discovered viruses in the Prefetch folder. I’ve never seen it myself, but I’ve heard it enough times from enough people to believe it could be true. Unusual, but possible.
A virus can hide anywhere but any AV scanner will find the file no matter where it hides, especially one with boot time scan like Avast. By default your AV can scan the prefetch folder. What a virus hiding in the Prefetch folder has to do with the regular prefetch files I don’t know.
If you guys are right about not cleaning out Prefetch , then the following gurus are incorrect. I think I am more inclined to buy what you are selling
zzzzzzzz zzzzz zzzzzzzzzzzz zzzzzzzzzz zzzzzzzzz zzzzzzzzzzzzzzzzz zzzzzzzzzz zzzzz zzzzzzzzzzzzz
http://www.langa.com/newsletters/2005/2005-04-07.htm#3
The “Prefetch” is a kind of cache. For any cache to work, it has to contain data: So, over-aggressive cleaning of any cache, including the Prefetch, can be counterproductive because the cache will have to be refilled with data again.
The flip side is that a cache that’s overfilled with more data than is necessary, or that’s filled with old and obsolete data also is bad: That useless data is just so much junk that gets in the way.
So: Cache-cleaning from time to time still makes sense, as long as you don’t over-do it. I clean my browser cache and the temp files areas every night, for example. But I hardly ever touch the prefetch area; I have cleaned it in the past, but it’s been long enough that I can’t remember exactly when the last time was.
What’s right for you? How much cache cleaning is enough? See:
“PreFetch”
http://langa.com/newsletters/2003/2003-09-22.htm#7
Prefetch Pros and Cons
http://langa.com/newsletters/2002/2002-12-12.htm#9
zzzzzzzz zzzzz zzzzzzzzzzzz zzzzzzzzzz zzzzzzzzz zzzzzzzzzzzzzzzzz zzzzzzzzzz zzzzz zzzzzzzzzzzzz
http://www.pcworld.com/howto/article/0,aid,114164,tk,wb020904x,00.asp
PC World, March 2004
Why is my speedy PC s-l-o-w-i-n-g d-o-w-n? (Hardware) Lincoln Spector.
Windows XP’s Prefetch folder: go to C:\Windows\Prefetch and delete all the .pf files. The Prefetch folder was added to XP to improve the operating system’s performance, and over the short term it succeeds. But if the folder gets overloaded, it can stow down your machine.
dear “Lorenzo the next best hope for humanity”…
>> The flip side is that a cache that’s overfilled with more
>> data than is necessary, or that’s filled with old and
>> obsolete data also is bad: That useless data is just so
>> much junk that gets in the way.
Yeah, but as stated in the Ed’s original article at the top of this page (and I guess somewhere on the Microsoft’s site too), the Windows cleans the old/obsolete files in Prefetch folder by itself (after 128 files were/are created); so anyway, why bothering at all with doing the OS’ job ??
Ivan Tadej
The files in my prefetch folder are compressed. Is that the way they should be? If not, what happened there? Should I do anything about it?
Ema,
What do you mean, they’re compressed?
Under the name of each file it says, “Type: Stuffit Compressed File”. When I try to open any of the files, a dialogue box asks: “Would you like to open the archive for Viewing or immediately Expand the contents?”
“Stuffit” is the name of my ’shrink/expand’ program and the icon next to each file corresponds to this application.
To the best of my knowledge it wasn’t like this before, but I haven’t knowingly done anything to the prefetch folder.
Please advise. Thanks.
P.S. The “layout file” is the only ‘normal’ one.
Ema, those aren’t actually compressed files. It sounds like you or someone tried at one point to open one of the files, Windows asked which program to use, and the PF extension becamse associated with your defautl decompression program, which is Stuffit.
You can fix this, but it’s not really a problem. These files are not designed to be opened directly, so just don’t double-click on them.
I have a winword.exe-23347E4F.pf file that starts running on it’s own, for no particular reason and it freezes up my computer. I found out that it was this file by doing ctrl+alt+delete and clicking on Processes. It took up 60-70%.When I clicked to end process, my computer unfroze.
Can I safely delete this file out of the prefecht folder? And why would it just start running on it’s own, isn’t it a “Word” file thingy?
Michelle,
Those .pf files are not executable. If you see one running as a process, it is behaving in an uncharacteristic and unwelcome way.
Can you tell me what application is associated with .pf files? (Control Panel, Folder Options, File Types tab, scroll down to PF extension.)
Mr. Bott;
I have read over the questions and answers in reference to cleaning or not cleaning out my Prefetch folder, however, my prefetch folder contains viruses (I recognize the names) but I am unable to access my layout.ini file with any of my AV programs because it says it is locked or password protected. I have been fighting these viruses for months now and just today found (again) a virus file that was instantly loaded into my AV program as soon as it was downloaded. I previously used Norton AntiVirus (detected over 11,000 infected files) until I found that a large amount of infected files were in Norton as well by using an additional AV program (AntiVir.) Even though AntiVir was able to detect over 7,000 infected files in my computer and rid the computer of them, I was unable to use the gaurd portion of the program until today when “Ewido” found a file within AntiVir infected with a version of the Trojan Horse. The AntiVir gaurd is now up and running as well as Ewido but I am getting error messages within the scans saying that it is unable to scan C:Windows\Prefetch|layout.ini and over 100 .zip files that again I recognize as virus files such as; CleverIEHookerJeired#.zip files, DSOExploit#.zip files, TotalVelocityMemoryMeter#.zip etc. the scan report says that “The whole archive is password protected on all these zip files and the layout.ini is giving me the following message;
Error! Could not change directory: System Volume Information
C:\WINDOWS\Prefetch
Layout.ini
Access denied! Error during file opening!
Error code: 0×000D
WARNING! Access error/file locked!
Error! Could not change directory: export
Additionally, I am unable to access my Users folder at all because it just shuts down when I try to load it and I get a consistant error message that my paging file is too small no matter what I set it at because it reverts back to zero.
I know that this is a lot of info, but I’m hoping that you can help me or at least point me in the right direction to help me finally rid my computer of this monster! I use my computer for work and having it continually crash on me is really affecting my livelyhood. Thank you so much for anything you can do for me!
Sweetpea
Pamela,
You should try Castle Cops or Spyware Info. Both have forums that can help you with detailed advice.
Whats the big deal about boot time anyhow I have disabled my task scheduler and now nothing loads into prefetch sure it may take a couple of seconds more to start up. But I only have two things in the start up menu . I never totally shut down my PC and I hybernate it at night . I very seldom restart my computer . I have to wonder about you guys that have nothing better to do than to time your start up times . Gentlemen start your PC’s !!!!
i am having similar problems to
Michelle from November 2nd, 2005 at 5:51 pm
i get error messages with the following programs that have failed to run, but i have no idea what they are,
the files are
withera.exe
outhera.exe
when i run a search for them i find a .pf file called
WITHERA.EXE-13A76141.pf in C:\WINDOWS\Prefetch
withera in C:\WINDOWS\system32
and when i click on more details for the error report the error signature is as follows
appName: withera.exe
appver: 0.0.0.0
modname: oleaut32.dll
modver: 3.50.5016.0
offset: 000030d0
i run ad-aware se and ccleaner but nither pick them up, and im sick to death of the error messages comming up, so are they safe to delete ?
I have the same problem regarding withera.exe. I got some bad news: on my computer, the file creation date correspond to a moment I was reading usenet using outlook express. I opened all the files created at the same time (outhera.exe, northwist.dta, withera.exe, orthnapp.exe(hidden), MSDATGRPS.OCX, WITBLOG.OCX) using wordpad and found that northwist is an html file that is regenerated every 2-5 minuts. Looking at the source, this is all adware. The file at the moment is a copy of se.swingqueen.com but this change and is not always sex related.
So I booted in safe mode and removed every files created at this time. The all re-appeared after 2 or 3 reboot. So for now it keep crashing every days… Not Good.
btw, by the time i wrote this message, northwist is now a copy of “treasuretrooper.com”…
I am a PC specialist by trade/profession. I know for a fact that malware uses the pre-fetch folder entries in a bad way. Often these .pf files gather large numbers and it becomes difficult to delete the bad ones from the good ones so ccleaner will remove them more effectively. Malware can most likely manipulate these entries for it’s malicious intents would you agree? If this were not possible then removing these files would be completely not good. If however this manipulation CAN possibly occur then maybe cleaning the prefetch area is not such a bad idea but only if you get an infection.
I’m not sure if I’ve done something to tweak xp registry or something like that, but my prefetch folder is always empty.
Does anyone have any idea.
Happy New Year btw.
Yes Kakudmi, the reason is that you have probably disabled the “Task Scheduler” service; so to enable prefetching again just set it to Automatic startup-type. The other possibility is however that you’ve disabled the prefetching itself. Open the Regidit and check the value of “EnablePrefetcher” entry under the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters” registry key.
Here are the descriptions of these values (all four possibilites):
0 = Disabled
1 = Application launch prefetching enabled
2 = Boot prefetching enabled
3 = Applaunch and Boot enabled (Optimal and Default
________________
regards,
Ivan Tadej, Slovenija, Europe
http://users.volja.net/tayiper
http://satyrhosts.bravehost.com
http://ivan-tadej.atspace.com
Larry,
Prefetching is not just for the boot time of Windows but for every application you launch. Disabling Task Scheduler and Prefetching does nothing but intentionally make everything load slower. Leaving it enabled does not hurt performance in any way. Why you want to deliberately slow your PC down I have no idea.
Chris,
Do you have ANY documented proof from a reputable AntiVirus company that Prefetch files are executable? You don’t because there is none. The malware nonsense started because when prefetching is enabled any executable will get a prefetch file created for it. This ironically and unintentional is by design to help the malware load faster. Windows Prefetching prefetches any executable indescriminantly. The .pf file with the same name as the infected malware has none of the malware code and cannot be executed. So once the malware executable is removed the associated prefetch file (.pf) with the similar name does absolutely nothing and will eventually be deleted by windows.
I have recently come acress these .pf files because I was running out of space on my hard drive. I am running a 3D design package software, Delcam, on a stand alone system. I have over 5000 .pf files totaling over 84gig of data.
Is this right?
Paul, there’s no way that Prefetch would create that many files occupying that much disk space.
I suspect those are data files for some application you use. What happens when you double-click on one of the files? Where are they located?
what if i am trying to rid myself of virus and have been given this advice,,,,
MAL, if someone gives you that advice, you should seriously question everything they’ve told you.
Ed: Though this has “nothing” to do with Windows, I desperately hope that you can help me.
My PC came with a McAfee which I removed when I installed a Panda antivirus (box version) with no problem at all. Now I am trying to install a downloaded version of Panda and it won’t install because it says is detecting McAfee. I brought a technician who removed any trace of McAfee that could have lingered behind. But Panda is still detecting it. There is no reason to believe that the file could be damaged. The people from Panda are no help at all. What could be going on and what can I do? Please, don’t tell me to go into the registry because I’m not a computer savvy. Is there a simple solution? Thank you very much for your help.
Ed,
I am not doubting anything you are saying, but I just wanted to tell you that I went into the registry to see what my “EnablePrefetcher” value was set at. It was set at 5! This is a fresh XP install (only about 1 month old). I have not loaded or executed any tweaking programs. I have read several places that the “5″ setting is just a myth. So I guess I am not sure why it is set to five if I have never changed it or ever run any program that might change it.
Thanks
According to MS’s premier site and some system analysts from MS, the setting 5 is an error that occurs if prefetching is enabled in app or boot mode and the scheduler service is NOT ACTIVE. The 5 value has NO effect unless both scheduler and reg prefetch values are set to enabled. As I understand the ONLY benefit to prefetching is if the APP is severely fragmented, the prefetch file will contain current, or close to current pointers which will speed up access to the app slightly…Not like a HD VTOC lookup takes huge time or resources. If you have a MASSIVE APP or use a net enabled app that is spread around muliple machines or drives PREFETCHING can save a precious few micro-secs but otherwise its just a pointer setup and regular disk defrag and optimization will do as much for you as prefetching.
BTW EMA have you tried installing in SAFE MODE ? if you come up bootlogging you can see what is being loaded from where….the bootlog and sos options in msconfig or boot.ini file can provide good info.
/SOS disables the M$ load screens and actually display system boot activity; ie drivers loading, devices being checked. Given a choice, I’d MUCH rather watch startup text, over a cloudy powder blue welcome screen
Archfield — that’s it! I did have the scheduler disabled… so that make’s sense why it was at 5 in the registry. Thanks
For those who have posted questions on this and related articles by Ed with regard to possible malware activity in the Prefetch folder, I thought the following information might be helpful since these questions do not seem to have been fully addressed:
1. As mentioned, a .PF file CANNOT be executed (well, it can if some cool tricks are used, but malware generally can’t exploit that aspect)
2. If we were to assume for sake of discussion that a .PF file COULD be executed, then it would still require something other than the Prefetch feature to EXECUTE it. As mentioned multiple times, the Prefetch feature doesn’t EXECUTE any of the Prefetch records - it only performs READ/WRITE operations on them. For those of us who understand the true nature of how non-executable code can actually be altered to be executed in certain circumstances, this point could be argued. But that argument would have to be taken up with the actual developers who programmed the Prefetch feature. I seriously doubt it could be done even by the most advanced virus developers of today.
3. Malware can sometimes be found in the Prefetch folder for reasons OTHER than normal prefetch operations (in other words, it doesn’t ONLY get there because the malware got prefetched as all programs do). I haven’t personally seen a .PF file used in a non-standard way - however, it is certainly possible that a malware author could stage a malware resource file in the Prefetch folder with a .PF extension for temporary use by an actual executable stored elsewhere (why - who knows, but possible). This wouldn’t be something to be concerned about though.
On the other hand, I have seen EXE files get placed here. The reason for that is primarily because the Prefetch folder for the average user is one of those obscure, never worry about folders. So, some malware authors have used it. No different than any other directory they might pick.
If you find that a virus is in your Prefetch, you treat it like any other virus. The fact that it is in Prefetch is not important. You still need to find out how the virus is being executed (e.g., from the RUN key in the registry, as a service, as a web component, or any other of hundreds of entry points). Once you know that, you need to boot in safe mode or other modes as appropriate to then BOTH delete the offending file AND remove the entry point reference. There is no need to clean out your whole Prefetch folder - just remove the suspect file(s).
Hopefully, that makes sense… I typed this pretty quickly…
I have a fairly old P3 system with 1GB of RAM and when I disabled prefetch the boot up time was vastly reduced. The bar on the loading screen used to go across the screen 14 or 15 times, then it would load my settings and the desktop would appear. After disabling prefetch, the bar on the loading screen goes across twice. I can’t notice any difference whatsoever in the startup time of applications, so in my experience disabling prefetch has been a good thing.
Archfeld,
Prefetching can have dramaticly positive effects on load performance with applications that require numerous files loaded into memory on startup. The larger the application and the older and slower the computer, the more profound the effects are. It is true that the faster your computer is and especially your HD performance, the less “noticeable” effect it will have with loading small applications. The problem is, there will always be newer larger applications such as Photoshop and Games like Battlefield 2 for example that will continue to come out and significantly benefit from prefetching even on top of the line systems. You are severly misleading people by taking upper high end system performance combined with small apps and declaring “microsecond” gains.
Shaun,
Excellent explanation in regards to prefetching and the virus Myths regarding it.
Speedy,
People consistently are misled by mentally timing a graphical portion of Windows startup. This is completely inaccurate. You need to use a program like BootVis to clearly see how significant an effect prefetching has on startup times. While you mentally notice different graphical portions of Windows appearing to vary in time with and without prefetching enabled, the fact is that when timed, your WHOLE startup time from turning on the power to your PC, until the desktop is fully loaded is ALWAYS faster with prefetching enabled.
I will have to disagree with you there. There’s a huge difference between the bar going across the screen twice with prefetch disabled, to the 14 or 15 times it goes across the screen when it’s enabled. I can time it with a stopwatch if you like, but I already know what the results will be.
Please do time it with a stop watch, then provide the exact system specifications so I can do this myself. But a much more accurate way is to time it with Bootvis. I’ve seen many butchered installs of XP using XPLite and other hacks that cripple prefetching. So you better make sure you never used any and are using a clean install of Windows XP.
how can i find out how the malware/virus is being executed? It is in my prefetch folder?
Thanks in advance
How do you know a Virus/Malware is in your Prefetch folder? The only files that should be in that folder have either a .PF or .INI extension. If that is all you have then you do NOT have Malware or a Virus in the Prefetch folder. Any executables should be removed from that folder (if they exist) such as files with the .EXE or .BAT extension.
If some program is saying you have Malware or a Virus in the folder I want to know and what file.
The confusion with Malware/Viruses being found in the Prefetch Folder is largely due to people INCORRECTLY finding a prefetch file with the same name as a Malware/Virus executable. The Windows Prefetcher will Prefetch ANY executable indiscriminently including Malware/Viruses. This has only one purpose to improve the load time of the application that is being prefetched - even Malware/Viruses. Once you clean the actual Malware/Virus executable which will located somewhere else and NOT have a .PF extension, the associated Prefetch file will not be used any more and eventually be deleted. There is none and never was any Malware/Virus code in the associated Prefetch file with the same name as the Malware/Virus executable. It is a harmless file.
Use HijackThis or Sysinternals Autoruns to see where the actual Malware/Virus is being executed.
i have run a program called malware sweeper which tells me every time it runs that i have ‘high’ risk infected files in my prefetch folder. these are defrag.exe-273f131e.pf and dfrgnts.exe.269967df.pf the last time it run. i have run hijackthis but have no idea how to determine which are the malicious .exe’s.
thanks again!
Mark,
That program is steering you wrong. The .pf file extension means those are nothing more than hashes. They are NOT executable files. And both are perfectly legitimate programs - they’re the Windows Defrag utilities.
Time to junk that utility.
Ed Bott
Thanks!
Thanks for posting this. I myself spread this piece of information before, out of a lack of understanding that it was probably not doing anyone any good. I still think it is useful to purge the prefetch directory if something gets damaged, but I no longer believe it’s useful to do so as a matter of course.
Is the limit of 128 objects in the prefetch directory hard-coded?
Mark only use reputable AntiSpyware programs such as:
Lavasoft’s Adaware
Spybot Search and Destroy
Windows Defender (Microsoft AntiSpyware)
All of these are free. While “Malware Sweeper” is not listed as a Rogue program, it is also not endorsed:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
It is obviously completely inaccurate and I would uninstall it immediately.
Those in favour of cleaning out your prefetch folder, how many seconds a year do you save by doing this?
Those in favour of not cleaning out your prefetch folder, how many seconds a year do you save by not doing this? And how long has it taken you to read this article?
I have to admit I have prefetch folder cleared out everyday and I havnt noticed any different in boot up or shutdown speed. This article has taught me alot and I am going to to stop cleaning it too see how my system reacts.
You need to time your boot and application loads. For accurate Boot timing use BootVis and a stop watch for application loads.
HI
I have bought a new tower with OEM genuine copy of Win XP Pro and I seem to have lost the Prefetch fo;der in Windows
is there anyway i can get it back please.
cheers
Lloyd
Make sure the Task Scheduler Service is set to automatic, then reboot and launch a couple of applications, you should now see .PF files in the C:\Windows\Prefetch folder.
Have you run any “tweaking” programs or any “tweaking” guides?
I think there is a fundamental misunderstanding here. The description of why clearing out the prefetch folder should not work is very reasonable. However, the reality is that empirically, on some systems it does in fact lead to a quite substantial improvement in performance judged, crudely, by how fast programs load and general operation not by any precise measure. I’ve rarely seen much slower boot times after clearing it out.
How to reconcile this with the fact (I assume, not being an expert) that it should not work, i.e. is a myth. I will suggest that in all probability there is a bug somewhere in the prefetch code. Alternatively, it might be that some programs (microsoft ones?) are coded such that prefetching works correctly for them but not for other programs.
The bottom line. While it should not improve performance, the reality is that it often does. Code behaves as it behaves, which is not always the way it was designed. You can’t call it a myth if it works.
LD, can you point to any published tests that use proper controls and show performance benefits from cleaning the Prefetch folder?
No published tests, no “proper controls” beyond my wife complaining that her laptop is being slow.
Three key points:
First, Occam’s razor. If cleaning the prefetch occurs in some many tweak codes, everyone cannot be wrong all the time. Sometimes it must help.
Secondly, everyone who has done a lot of coding has seen (or written) sections of code which start with a comment such as “This should have no effect, but seems to be needed”. Often coding is an art, not a science, and programs don’t work the way one expects.
Last, at scientific meetings it is not uncommon after someone gives a talk for people to say (out loud or under their breath) “rubbish”. Normally it is. In a small fraction of the cases it is not. When it is not, this is because there is an exception to “accepted wisdom”. Proof that something which “should” be true is not is how advances are made.
LD, you’re missing the point of Occam’s Razor, which says that the simplest answer is usually the correct one. In this case, the reason cleaning the Prefetch folder appears in so many online tweak sites is, literally, because it appears in so many tweak sites. A few early adopters made some mistaken assumptions about how prefetching works, concluded that this folder needed to be cleaned out, and published tips. The large herd of follow-the-leader websites reprinted these tips, and pretty soon they had critical mass. There are many similar stories, and I’ve been writing about Windows long enough to have seen this same phenomenon over and over and over.
We looked at this subject very carefully and with an open mind for the second edition of Windows XP Inside Out. After research, we concluded that this was an urban legend.
I have not seen a single credible source give any data or justification for this practice. I have researched the hell out of it and am quite confident with my conclusion. You’re welcome to disagree, but without data you’re not going to change my mind.
CRACK.EXE-2734ECF7.pf what is this file?? it tried to communicate out of port 80???
thanks
I 150% agree with Ed. I never believed any of the Prefetch “Tweaks” when I heard them but it took me reading one of Ed’s original Prefetch articles to thoroughly test how significant the Windows Prefetcher is to Windows and Application load times. Anyone making claims that cleaning the folder improves performance NEVER tested it with any documented reproduceable evidence. People are using irrational “feelings” to make any performance improvement claim. Humans are very innacurate timing devices which is why we invented stop watches ect… You can quite easily time Windows Bootup using the Bootvis utility. I’ve done thorough testing with Bootvis timings and found prefetching to improve system start up times anywhere from 50 - 100%. Cleaning the folder reverses these gains.
ray, the file you are refering to is not accessing the internet. That file is the Prefetch trace file for a file names “crack.exe” which is the one you are looking for.
I have recently begun to have poor performance on my pc. My performance though seems realated to my CPU wich is an AMD athlon 64 3000+ 2.0 Ghz. cpu. I started to notice choppy play on my online game that effected my sound and video. It seems that when I get this choppiness on my pc my CPU hits a peek of around 60 to 100% usage.. I ran multiple defrags cleared my cahce and emptied cookies in hopes to gain my clean play on my game.. I then noticed it wasnt just game play but even Windows media player or just about any program that uses sound or video that I have been having choppy performance on my pc. For a week now I have been rattling my brain trying to figure out what the problem is. A freind of mine said it could be the windows prefetch and insisted I turn off this prefecth and in hopes to gain my performance again.. I also ran a spyware, addware and anti virus program in hopes of finding something that may be creating this problem. I can note that no new software was added at the time the problem begun. Nothing was found by my nortons virus or by my webroot spyware programs. Also it seems that nothing is eating up much of my 1 Meg of pc 2700 Ram either.. After reading some of the articles here i have been a little more hesitated to disabling my prefecth but cant figure out what is the problem. My pc is a little under a 2 years old and I have had to reformat an install several times due to Virus an other realated probelms. Any advice to the right direction in taking care of tis would be great.Also i ran a testing program that checks chipset, Ram , CPU and other parts of the MB and showed my chipset an cpu are operating at 100% of there rating.. I am completely at aww and almost ready to give up and smash this thing.. Almost ironic at the frustation things we dont understand can cause. Thanks any one for the help if any.
I disagree with this premise that shouldn’t clean out the Prefetch. I have seen several viruses hide there that could not be found by any AV. Therefore, I not only delete the files in Prefetch but I have disabled the process totally.
RazorJay,
There can be many, many reasons for your problems. You should never have to reformat Windows unless you have a serious hardware error, a very destructive virus infection or a RootKit infection. I’ve seen many computers screwed up from bad tweaks and bad tweaking advice. Windows Prefetching ONLY effects an application or windows boot time, it has absolutely NOTHING to do with anything after that. Cleaning your cache and cookies will do nothing for performance that only effects disk space. Try running through this optimization guide and see if it helps:
http://mywebpages.comcast.net/SupportCD/OptimizeXP.html
Drew,
Are you sure actual viruses were there and not Prefetch trace files with the same name? Regardless you should only delete the virus file and NOT the whole folder. Do you delete the contents of the Windows folder when you find a virus there?
http://mywebpages.comcast.net/SupportCD/XPMyths.htm
“Malware/Viruses - Some people irresponsibly recommend cleaning this folder due to possible Malware/Virus infection. Malware/Viruses can place an infected file(s) in any folder and the Prefetch folder is no different. Do these same people recommend deleting the contents of the Windows folder because it is a popular location to find an infected file(s)? Of course not, you simply clean or delete the infected file(s) not the contents of the folder. This Myth got started due to the indiscriminate nature of the Windows Prefetcher, which will Prefetch any executable file that you load or loads during Windows start up. Thus it is quite common on an infected machine to find a Prefetch (.PF) trace file in the Prefetch folder with the same name as an infected executable. These files are NOT Malware/Viruses. They are there to improve the load time, in this case ironically, of the Malware/Virus but do not contain any infected code. Once the associated infected executable is deleted, these Prefetch (.PF) trace files do nothing and will eventually automatically be cleaned by Windows.”
I was able to speak with the senior editor at TechRepublic and presented him with the evidence. He agreed to pull the incorrect articles and to have a staff member rewrite them.
Well I have to say that switching OFF task scheduler and prefetching sped up the boot time noticeably on my system. Programs don’t seem to load any slower for it either, but then I have a pretty high end system and nothing seems to take long to start. But boottime definitely benefitted, no word of a lie.
Scathe,
That is completely impossible. First of all you have to make sure that the Windows Prefetcher was working properly to begin with before you make such claims. I have seen many systems that have the Windows Prefetcher broken due to running some useless “Tweak” program, registry script or following bad advice. The following will both Fix the Windows Prefetcher and properly time it.
Windows Boot Prefetching Test:
The following Prefetch Optimization steps on a default installation of Windows will be done by Windows automatically at some point, however to confirm that the Prefetcher is enabled and Windows is optimized on a system where it might have been disabled these steps are necessary for uniformity in testing. You must be using a default install of Windows and not one that used Nlite which can permanently break the prefetcher:
1. Make sure the following Services are set to Automatic:
-Task Scheduler (It is by default but many people and bad tweaking programs disable it. The Prefetcher Fix will also enable this.)
-COM+ Event System
2. Run The Prefetcher Fix located here: http://mywebpages.comcast.net/SupportCD/OptimizeXP.html#Tweaks
3. Reboot and make sure in the \Windows\Prefetch folder the following files are present:
-NTOSBOOT-B00DFAAD.PF
-Layout.ini
4. Reboot Windows 3 more times and DO NOT install or change anything that would load during Windows Startup during any of this. This will insure that prefetching is 100% complete.
5. Download and install Bootvis. (Without using Bootvis you would have to wait 3 or more days for this optimization to happen automatically.)
6. In the menu go to “Trace”, select “Next Boot and Driver Delays”. A “Trace Repetitions” screen will appear, select “Ok” and Reboot. Upon reboot, BootVis will automatically start, analyze and log your system’s boot process. When it’s done, in the menu go to “Trace” and select “Optimize System” and Reboot. This time when your system comes up, wait until you see the “Optimizing System” box appear, continue to wait until the process is complete.
Now your Boot time is optimized and Prefetching should be properly enabled.
7. Time Windows boot with complete accuracy using Bootvis. Run another Trace and reboot. Now when Windows finishes loading the Bootvis tool you will see a time at the top of the Window that represent your optimized Boot time. Write this down.
8. Delete the contents of the \Windows\Prefetch folder. (This is never recommended except for these tests)
9. Time Windows boot again using Bootvis. Run another Trace and reboot. Now when Windows finishs loading the Bootvis tool you will see a time at the top of the Window that represent your unoptimized Boot time. Write this down.
10. Compare the times.
Anyone can easily test this themselves and see for themselves how important the Windows Prefetcher really is. Again you must be using a default non Nlite installation of Windows. Using programs like Nlite can permanently break the Windows Prefetcher.
Hello,
I saw your comments about PF files and since I had a problem with those, I’d appreciate your help.
One of my softwares do not work, because the date of the computer was one month ahead. For fixing that I need to change the date of the future-dated files; I was successful to do so by a software, but it doesnt work for about 50 PF files and each time an “access denied” window pops up.Do you have any idea how I can “access” them to change their date?
Thanks in advance,
M. Amin
There is no reason to change the date on the prefetch files. Windows will automatically update these as needed and correct the date when it does update them. Any obsolete Prefetch files will automatically be cleaned. So you shouldn’t have to do anything.
People claim disabling prefetch works, others say impossible. Yet the those who say impossible, immediately qualify their statement with, prefetch will grab malware, etc. and load data related to it as well as needed applications and data. And those who say it works, don’t usually have enough data to prove their point.
What effect does prefetching have on boot time? If it loads malware based on pointers in a pf file, then disabling prefetching will clearly improve boot time. Getting rid of the malware should do the nearly the same. While the pf files exists, will boot try to load something, but fail on a bad pointer? Since it used the pf file, will it mark it as such and never delete it? This would waste boot time forever. For those who load and unload large numbers of apps that insist on putting some check in at boot time, this could get ugly. I regularly use 10 apps, so boot time has the potential to check 117 useless turds every boot.
I am trying to get NeroCheck out of my register and boot sequence. I’ve uninstalled the Nero software. I’ve deleted the files it left behind in the program files area. In SpyBot, system startup says it will run nerocheck.exe. I disable or delete it. Reboot and NeroCheck.exe is back in the system startup sequence. I manually delete Nero* from my registry using regedit, delete it again from SpyBot’s perspective, reboot. It’s back. SpyBot claims the file is in c:\windows. Yet the file does not exist. So I searched the windows directory and found the .pf file. This got me to this site.
Apparently, NeroCheck.exe tries to be run on boot, by what app I’m not sure. I think I get it out of the ‘run’ section of the registry correctly either manually or via SpyBot. Whatelse can I do?
Another problem, possibly related, since the latest windows update, Norton AV doesn’t start before windows checks to see if it’s running. I always get the warning saying I’m at risk because AV is off. Later AV starts and the pop-up warning eventually goes away if I don’t close it first.
Jansen,
You have not followed the conversation or read what we are saying. Disabling Prefetching will do ONE thing, it will make all your Application and Windows take LONGER to load PERIOD. No one who has been trying to explain how prefetching works says it will “grab” malware! Prefetching is a feature that accelerates the loading time of Windows and all your applications. So whatever is loading it just makes it load faster. If you are infected with malware than the malware loads faster. Disabling it still loads the malware only slower. But it does not ADD or PREVENT malware from loading.
Prefetching IMPROVES boot times ALWAYS. How much depends on many factors, such as the speed of your HD and how many applications and drivers are loading at startup. You are completely NOT understanding how prefetching works. Prefetching ONLY loads what ALREADY loads at startup. It DOES NOT load anything new or additional. It just loads it faster. It does not load all 117 prefetch files at startup, stop guessing on how Prefetching works. It only ACCELERATES what is ALREADY loading at startup.
If NeroCheck keeps loading at Startup check Add/Remove to make sure you removed EVERY Nero related items. Then use Autoruns to delete it, if it is still there: http://www.sysinternals.com/Utilities/Autoruns.html
The Nero.pf file is NOT loading at startup. Only two files are REFERENCED at startup:
-NTOSBOOT-B00DFAAD.PF
-Layout.ini
Your problems are related to the application = Nero and Norton. Contact the manufacuturer of the software for help relating to those problems. Neither one has ANYTHING to do with Windows XP Prefetching or the Prefetch Trace (.pf) files.
I generally agree that leaving the prefetch directory and settings alone is a good idea. However, there seems to be two issues I haven’t seen discussed.
If I understand everything correctly, when an application is executed, the prefetcher loads commonly used program segments into memory based on overall program usage. This tracking doesn’t appear to make any differentiation between Windows booting vs. normal user operations. This brings to light two possible issues:
1. Minor issue: Many systems run for weeks without being rebooted. Are the code segments necessary for the application to get started seen by Windows as “commonly used”. After all they are only executed every X weeks.
2. More significant: Take a program which starts up when you boot/logon to your computer (say an IM client). After our computer is running, we may use this program very often for many things (text messaging, voice chatting, video chatting, white boards, etc). The program segments necessary to do all these things will be noted by windows as “commonly used” and marked for prefetch. At boot time Windows will prefetch all these extra segments even though they have nothing do to with getting the program running and completing our boot.
Personally I think it’s more of a coin toss. A few programs will benefit and some will load a extra segments that aren’t needed during boot. More significant savings can be seen by not loading all those useless tray icons and background programs in the first place!
Respectively submitted for comment.
Vistonr, here’s your misconception:
“At boot time Windows will prefetch all these extra segments even though they have nothing do to with getting the program running and completing our boot.”
That’s not how boot prefetch works. Go back and read the documentation again. All that prefetch does is create a series of files that tell the system the most efficient way to load programs when they’re ready to be loaded. Nothing gets fetched in a wasteful fashion, as your hypothesis implies.
I was a victim of this hype, but when I went to clean out my prefetch folder, it didn’t have anything in it - confirming what you said. But what I did do, is modify the prefetch registry component, making it so that instead of indexing boot files and application files, it just loads boot files. Should I change that back?
Hmm, interesting. I understand the article and whats been said but I’ve got a question. How come when I delete the prefetch folder windows load much much faster? The windows xp loading bar screen only appears for a second or two compared to around a minute before I deleted the prefetch folder. I understand what your saying and that you beleive this doesnt happen but I’ve had numerous real world experineces that seem to disprove your article at least when it comes to windows boot times. Any idea why this would be? I’d love to get a definitive answers re. prefetch which matchs me real world experience
Great tips but if you really want to sound like you know what you are talking about, learn that ANYWAYS is NOT a word. The correct usage you are looking for is just plain ANYWAY. Anyway is the plural and singular usage of the word.
Cary, you’ll need to address that to Ryan. That was a quote, not something I wrote.
Akanewbie, the progress bar is a misleading indicator. You really need to use a stopwatch to see the results.
Jesse,
Leave the EnablePrefetcher value on 3 otherwise all of your applications will load slower. Values 3 and 2 will both boot Windows in the same exact amount of time. There is no negative performance hit to Windows XP Boot times using the value of 3. That is another Myth spread by the misinformation found at the intelliadmin site and Digg.com
My prefetch files are locked and I cant delete them. How is this….
When I startup my computer in the bottom right conner of my screen I see C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9 is corrupt and unreadable. What should I do? Delete it or is there some way to reinstall that file?
Nigel,
You don’t need to delete them. Did you not read this whole thread?
twtt,
Are you using NTFS or FAT32? You should only be using NTFS for your file system with XP. If it says it is corrupt then yes you can delete it and it will be recreated but you need to find out wat is causing it to get corrupted. Make sure you are not overclocking, you are using NTFS, you are not infected with anything and your hardware is working correctly especially, your Memory and HD. You can figure out what is wrong using this guide:
http://mywebpages.comcast.net/SupportCD/DiagnoseXP.html
Sometimes cleaning out the Prefetch folder is just what an old computer needs!
I had a laptop here that was having all kinds of strange problems. The bootup was EXTREMELY long, more than 5 minutes. Running defrag would hang and when I told the system not to index files, many of the prefetch files could not be accessed. As I looked through there, including looking inside the layout.ini file using notepad, I saw many of the files had been uninstalled. So, I went through the process of cleaning out the Prefetch folder. First, I deleted all the files. Then I defraged successfully. Then I opened a command prompt and ran rundll32.exe advapi32.dll,ProcessIdleTask to recreate the .pf and prefetch layout.ini file. I noticed that the size of the layout.ini file was greatly reduced. Then I rebooted the computer three times. You know what? The computer runs great now. Bootup time dropped from 300 seconds to 75 seconds.
Here’s my thinking about this. The tuneup of the prefetch file is scheduled for idle time. Laptops often don’t have much idle time and so in some cases, the tuneup never happens. Sometimes the prefetch files get corrupted in some way that does not allow the tuneup to take place as it should. So in some cases, perhaps especially with laptops or with computers that do not sit powered up and idle for long periods of time, cleaning the prefetch may be just what is needed.
I don’t plan to do prefetch as part of a regular tuneup. I tihnk in this context, Ed is right. But to blanketly state — “Bottom line: You will not improve Windows performance by cleaning out the Prefetch folder. You will, in fact, degrade Windows performance by cleaning out the Prefetch folder.” This is just plain overstating the case. In my case that I just got done working on, cleaning out the prefetch folder definitely increased performance. Prior to this, the computer was practically unuseable.
Hi, I’m pretty new to learning about all of these things.
I have a Dell Laptop with Windows XP Media that I just bought. I thought I’d removed all the ‘junk’ on it that comes with it automatically.
I have 81 to 83 processes running on my Task Manager. 33 are running under my name in the ‘User Name’ column, 4 are under LOCAL SERVICE, and 2 (sometimes more) under NETWORK SERVICE (these 2 are the same thing), and the rest are running under SYSTEM.
It seems like all of the ones under my name are duplicates of the ones running under SYSTEM. I found them all in the Prefetch file.
I got this thing so that I could run multiple tasks at a faster speed than my older desktop computer. But it seems like all of that stuff in the Task Manager is slowing it down a lot.
Is this normal or do you think I have a bug/virus in there somewhere? I tried to research all of them on my own. But I found out that most of the processes show up as being both a legitimate process and also a virus/worm named after the legitimate process.
Way too confused! Then I saw your site. I hope you don’t mind my stupidity.
Thank you,
Janet
In response to Andrew on August 4th:
I am wroking on a new system bulid and wondering about the prefetch as well.
One thing about your testing methodology I am confused about. You first rebooted several times, and loaded up the prefetch so all the information was optimally loaded there, correct? Then you set a trace in bootvis to see the boot time. Then afterwards you delete the prefetch folder–followed by a reboot to see the new boot time.
My question is, after you delete the prefetch and test the new boot time, did you disable prefetch? Deleting the prefetch folder without disabling it is vastly different from disabling the prefetch task completely. From my understanding, if you delete the prefetch folder, but leave the prefetch task active, and test the next boot, its obviusly going to be slower because prefetch has to rebuild everything you just deleted. This is the temporary slowdown Ed mentioned in the first place about deleting the prefetch.
What happens if you delete the prefetch, disable it, then test the boot. Will you still get 50-100% increases in boot time on a optimized (defragmented) machine?
I’m very interested in hearing your results.
Cindy
David,
Cleaning the Prefetch folder has nothing to do with your problem, forcing the idle tasks to run is what did it, you probably have something with prefetching broken such as the Task Scheduler disabled or some other problem. You made various changes and are attempting to claim that the one deleting the prefetch files improved performance = nonsense.
PREFETCH FILES DO NOT GET CORRUPTED UNLESS SOMETHING IS WRONG WITH YOUR SYSTEM!
Janet,
Your problem has nothing to do with prefetching. Try using this guide and see if it helps:
http://mywebpages.comcast.net/SupportCD/OptimizeXP.html
Cindy,
The slowdown you experience is due to the Prefetch Reference file not being there and has nothing to do with it being created. Windows has none of the Prefetch reference information available and thus cannot prefetch. Prefetch files are created and modified with no negative performance hit. Boot performance will be just as slow the first time you reboot after you delete the prefetch files as it will be with Prefetching disabled.
To anyone begging for help fixing their virus: Use a virus scanner, and update it! That’s what they’re for! Preferably something like Avast or Antivir that can be run boot-time or offline from a CD.
I suspect most of the “speedup” people claim to get from disabling prefetch is related to doing a whole laundry list of cleaning and tweaking at once, and picking one thing to blame it all on, then never successively timing it on/off to be sure. Notice how no one in this thread who’s defended the matter has come back with hard numbers.
However: If you ever see a file in there that doesn’t follow the convention, like a dash instead of a dot or vice versa - it is a virus. If you ever can’t delete a file (as admin) in that folder - it is a virus. If it’s in task manager, then of course it’s a freaking virus. Don’t screw around, get a boottime antivirus on it immediately! Or pull the drive out and take it to a friend’s, scan it on their system. And be more careful next time.
Well there is no “tweaking” that will improve Windows boot times outside of disabling unnecessary services (be careful since the Task Scheduler service is necessary for prefetching and disabling certain services can break things in Windows). Cleaning can help, such as removing malware and disabling or uninstalling unnecessary applications that load at Windows Startup.
Anyone claiming ANY performance from so called Prefetch cleaning or “tweaking” away from the defaults is either showing placebo results or for “cleaning” had a corrupt prefetch file which indicated a problem with your system and on a properly working system would never happen.
I challenge anyone to prodiuce documented reproduceable results on a clean install of XP with absolutely nothing done to it outside of the one alleged “tweak” or prefetch folder cleaning to show a performance improvement. Quite the contrary you will find a NEGATIVE performance hit.
The greatest offense of accumulated files in the Windows\Prefetch folder for me is that they result in significant fragmentation of the OS partition. If I don’t empty the Prefetch folder first, I cannot achieve a good defragmentation. I DID have an incident in the past in which a virus EXECUTABKE file installed itself in the Prefetch folder, but of course, I only deleted that one file in that case.
Louise,
That is total nonsense. The prefetch trace files (.pf) are like any other file on your HD and can be defragmented normally either by the built-in disk defragmenter or a superior third party utility like Diskeeper. They in no way cause OS fragmentation any more than any other file. It is like there are people out there obsessed with finding any ridiculous reason to delete the contents of the folder. Some people cannot stand to just leave it alone.
Sorry, but you’re wrong, wrong, wrong.
Clearing out prefetch periodically DOES speed up the computer. FACT!
Windows XP pre-loads files it thinks are might need in prefetch, but actually you may not want any of them so they’re just using up resources, a bit like carrying a couple of bags of cement in the back of your car all the time, you use more fuel carrying the extra weight.
Peter,
Did you read Ed’s post or the replies in this thread before you posted that misinformed statement? That is not what prefetch does. Windows XP does not load ANY files that Windows XP or an application would not already load. It simply optimizes how they are loaded. No additional files are “pre-loaded” to take up “resources”. That is NOT how it works. Please READ and understand how something works before you post a comment incorrectly assuming.
“Did you read Ed’s post or the replies in this thread before you posted that misinformed statement? That is not what prefetch does. Windows XP does not load ANY files that Windows XP or an application would not already load. It simply optimizes how they are loaded. No additional files are “pre-loaded” to take up “resources”. That is NOT how it works. Please READ and understand how something works before you post a comment incorrectly assuming. ”
But that is why *sometimes* cleaning out the Prefetch DOES improve performance. The prefetches are NOT parts of an EXE - they are hash tables to tell the OS the best load pattern for the program.
But during startup the Prefetch folder’s FAT entries must still be parsed to find the correct hash, that hash loaded then executed upon. The larger the folder the longer the IFS takes to parse a directory. Known fact.
Don’t get agressive in emptying that Prefetch - but once in a Blue Moon clean it and restart the machine at least 5 times (for the OS to rebuild the prefetches necessary, but only the required ones necessary). You’ll find that your OS initial load time drops by about 15%.
I suggest you try it - theory and reality sometimes do not coincide. Theory says “no”, reality says “yes”. But do not do it often!!! Once every 3 to 6 months - to force a rebuild of the hashes to your current mode of OS use - is more than adequate. Any more and yep, you’re probably doing more harm than good.
Sorry, Snake, you’re wrong.
Restarting your computer 5 times won’t do jack to rebuild prefetch hash files. You need to actually run the programs to build those .pf files.
And if the program itself changes, it gets a new hash file. You don’t need to delete the old one. I have a Media Center machine here that has been running continuously since November. I have never manually done anything with the Prefetch folder. Yet the oldest prefetch hash file in that folder is dated only two days ago. Layout.ini is dated yesterday, and the NTOSBoot file is dated one week ago.
You don’t need to mess with the Prefetch folder. It can take care of itself.
Like Ed said Snake you are wrong.
Snake that is total nonsense if the size of the folder’s contents effected a program’s load time then this could easily be timed. The folder’s file limit is 128 entries before Windows XP auto cleans it. I’ve timed systems boot and applications loads with a handful of files in the folder and the folder maxed out at 128 entries and the load times DO NOT CHANGE.
“But during startup the Prefetch folder’s FAT entries must still be parsed to find the correct hash, that hash loaded then executed upon. The larger the folder the longer the IFS takes to parse a directory. Known fact.”
NTFS doesn’t use FAT! Regardless like I said this could easily be timed and I have and the size of the folder’s contents in no way negatively effected the load times of Windows or the applications. Your the one making assumptions and creating incorrect “theories”. How Windows XP Prefetching works is fully documented.
“Don’t get agressive in emptying that Prefetch - but once in a Blue Moon clean it and restart the machine at least 5 times (for the OS to rebuild the prefetches necessary, but only the required ones necessary). You’ll find that your OS initial load time drops by about 15%.”
Wrong it only takes Windows 1 reboot to rebuild the NTOSBoot file and a second to fully optimize it. This is the same with launching ANY application, it is fully optimized after the second load but 90% of the optimization was already done the first time. Windows only builds one Prefetch file during boot and that is the NTOSBoot file. Like Ed said you have to launch applications to build the rest, rebooting Windows does nothing for them.
Snake I suggest you learn how Windows prefetching works and stop spreading complete misinformation and nonsense. People who are seeing performance loss at boot or applicatoin loads either have prefetching broken or disabled in some way or are not letting their systems go idle (ten minutes) which is when the Prefetch files are further optimized. I suggest these people force the idle tasks to run instead of listening to this nonsense.
That can be done by going to Start, Run and Typing:
Rundll32.exe advapi32.dll,ProcessIdleTasks
and you can then further optimize this by typing:
defrag c: -b
Again Windows does this all automatically and you don’t have to do anything but for whatever reason people manage to create new and interesting ways to deoptimize their systems daily.
thanks for this posting
regards
I’m one of those people who has written guides that recommend disabling prefetcing. I do it on my own rigs after I noticed an improved boot time some time ago. After seeing this article I decided to do some testing.
With prefetching off, my boot from power on to the dissappearance of userinit.exe in Task Manager was 79secs. I tested 7 apps I commonly use. Their respective load times (in seconds) were 33, 17, 12, 4, 4, 4, 4.
I re-enabled prefetching (Task Scheduler Service), rebooted three times, ran those apps to generate the prefetch hashes, verified the hashes for those programs were there and shut down the PC. Left the PC for about 30secs then powered on. Boot time from power on to the dissappearance of userinit.exe in Task Manager was 81secs. The load times were 33, 17, 12, 4, 4, 4, 4. No change except for two seconds extended Windows boot time.
Although my testing wasn’t extensive, I’ve learnt a few things from this article.
- Disabling prefetching is over-rated.
- Enabling prefetching is over-rated.
- Boot time variations from leaving prefetching enabled are likely to be negligible.
- Performance differences come down to the individual’s PC’s and how they use it. On my PC and for my use, it’s a moot topic.
If you really want to improve boot times and load times, get a fast hard drive and make sure you have ample RAM. You can’t substitute pure grunt with a myriad of tweaks.
If you are fussed about tweaking prefetching, try it on and off and time your own PC with the apps you use. make up your own mind.
I’ll keep prefetching on for a month or so and will report back if my observations change.
For reference, I wholeheartedly agree that many tweaks can degrade performance and I applaud you guys for taking the time to debunk them.
The Point of clearing the predfetch folder is, that if you install new software and afterwards deinstall it, windows will still try to optimize the disk for the non-existing software. Of course, there is no point in flushing this folder daily, but after a month or two it IS quite useful and speeding up the system. On my test-system where I have to install many different software-packages, the boottime decreased from 20secs to only 7!
I have a problem with long load times for some processes, up to 8 minutes.
Having read this page I disabled prefetch and the load time reduced to 2 minutes. Still something is wrong but I also ran my antivirus scan and was surpried to find the normal 18 to 20 minutes for a scan before disabling prefetch the scan only took 8 minutes.
The problem with using a stop watch is that so many processes are running in the backround timing two runs with only the presence of prefetch different is not posibble.
How does prefetch get affected by smartdrv or has this been removed in windows.
At least smartdrv had a monitor in it so you could see the effect. Does prefetch have similar monitor.
It seems timing the boot up process is not a good test of prefetch. The point of prefetch like smartdrv is to pay a small penalty the first time a block of code is used to save time later in the session when the same block of code is needed again. In the case of smartdrv the session was as long as the machine was switched on but with prefetch holding data on disk the “sesion” is much longer.
I had a problem with defraging om my hard drive and it was saying that it was in the prefetch folder. deleted it and it has worked ok.
50, first of all the Task Scheduler Service is merely one thing that must be set to automatic.
1. You cannot use an nLite install of XP for testing since parts of XP may have been ripped out.
2. The EnablePrefetcher Registry Value must be set to 3.
3. You must do the following procedure after rebooting 3 times. Go to “Start”, “Run”, Type Rundll32.exe advapi32.dll,ProcessIdleTasks. This can take 10-15 minutes to run but no notification will be given when it is finished. You will notice increased Harddrive activity while it is running wait until this stops. When this is finished in the “Run” box Type defrag c: -b. This is necessary to confirm the idle tasks were run.
When timing with a stopwatch you must time from pressing the power button until startup.
All you have proved is that Prefetching is broken on your system in some way or your testing is flawed. Perform a clean non nlite install and test again. When you say Prefetching is “off” you need to make sure the Task Scheduler is disabled, the EnablePrefetcher value is set to 0 and the Prefetch folder is empty.
Christina,
That is impossible if you uninstalled the software then there are no files for the defrag prefetch optimization to move when the system is idle in relation to those programs. Your boot times decreasing had absolutely nothing to do with cleaning the Prefetch folder. I suggest you provide documented reproduceable tests on a clean non-nlite install of Windows XP. Of which no one will be able to reproduce your results because it simple does not work that way.
Mick,
Why in God’s name would you read this page and disable prefetching? That is not your problem! If you think it is you obviously did NOT read this page!
AntiVirus scan times are irrelevant to prefetching. Prefetching only accelerates application and windows load times.
Smartdrv? Are you kidding me! That is a DOS program. Prefetching is only found in Windows XP and Vista.
PREFETCHING HAS NOTHING TO DO AND IS IN NO RELATION TO SMARTDRV!!! There is NO PENALTY, NONE, ZIP, NADDA. STOP MAKING STUFF UP!!!!
Testing boot time is an EXCELLENT way to test boot prefetching. Since this is one of the things prefetching accelerates.
Please do not comment here if you are not going to at least take the time to read the whole thread and all the explanations. Don’t guess and assume because you will be wrong.
David,
If you had a problem with the prefetch folder that was likely due to a disk related problem or a file system related problem. Neither of which has anything to do with prefetching. There are many reasons the prefetch folder can get corrupted. You need to fix the source of the fiile corruption not delete the prefetch folder.
Causes of file corruption in XP:
1. Overclocking
2. Defective Harddisk
3. Using Fat32 instead of NTFS as the file system
4. Defective RAM
5. Defective Mainboard
6. Defective Power Supply
The files in my prefetch folder are compressed. Is that the way they should be? If not, what happened there? Should I do anything about it?
Hi
just to let you know that I had found Ad-Aware in my
C\WINDOWS\prefetch under FIREFOX.EXE.————–pf and IEXPLORE.EXE———–pr
This Virus will launch and open your browser with a new page
Canli,
What do you mean they are “compressed”? How do you know this?
Luis, If those files had an extension .pf than they are NOT a Virus. Many AntiVirus and AntiSpyware apps incorrectly identify the associated Prefetch file that was linked to an infected executable as a Virus or Malware. If the extension was .pf for those files then I suggest you report the false positive (this is