# Prefetch Clearing

* **Description:** This involves the removal of Prefetch files (`.pf`) from their storage location (`C:\Windows\Prefetch`). As Prefetch files contain detailed execution history (timestamps, run counts, loaded resources), deleting them eliminates this direct source of evidence.
* **Mechanism:**
  * *Manual Deletion:* The user navigates to `C:\Windows\Prefetch` (requires admin rights) and simply deletes specific `.pf` files (e.g., `cheat.exe-HASH.pf`) or selects and deletes the entire contents of the folder.
  * *Scripting/Tools:* Cleanup utilities (like CCleaner, BleachBit) or custom scripts (`.bat`, `.ps1`) can be configured or run to automatically clear the Prefetch folder.
* **Why Cheaters Use It:** To erase the execution history of specific cheats or tools, preventing the ScreenSharer from finding direct proof of recent launches via Prefetch analysis tools like WinPrefetchView.
* **Detection:**
  * **USN Journal (`$UsnJrnl`):** This is the **primary detection method**. The deletion of any file, including `.pf` files, is meticulously logged in the Journal with a `FILE_DELETE | CLOSE` reason code, associated with the specific filename (e.g., `CHEAT.EXE-1234ABCD.pf`) and the `C:\Windows\Prefetch` path. Finding recent `FILE_DELETE` entries for `.pf` files, especially multiple deletions occurring clustered in time shortly before or during the screenshare, is **strong evidence of Prefetch clearing**.
  * **Empty/Incomplete Folder:** Visually inspecting the `C:\Windows\Prefetch` folder and finding it completely empty, or suspiciously lacking entries for commonly executed system processes (`explorer.exe`), recently used applications (`AnyDesk.exe`), or the game itself (`javaw.exe`), is a significant indicator of clearing, *provided* that the SysMain service is running and Prefetching is enabled in the registry.
  * **Corroboration:** If other artifacts (e.g., BAM, memory strings) show recent execution of a program, but its corresponding `.pf` file is missing or has an old timestamp, clearing or tampering (like Read-Only attribute) should be suspected and investigated via the Journal.