# Troubleshooting and Evasion Detection

Users may attempt to disable, clear, or manipulate Prefetch data to hide their tracks. Awareness of these techniques is key:

* **Prefetch Disabled (Registry):** The primary control is the `EnablePrefetcher` DWORD value in the registry at:
  `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters`
  \
  Common values are `0` (Disabled), `1` (Application launch prefetching enabled), `2` (Boot prefetching enabled), `3` (Both enabled - default). A value of `0` found during a check is suspicious and indicates deliberate disabling.
* **SysMain Service Stopped:** The `sysmain` service (formerly Superfetch) is responsible for managing the Prefetcher. Check its status using `sc query sysmain` in an administrative CMD. If the service `STATE` is not `RUNNING` (e.g., `STOPPED`), Prefetching is inactive. Restarting the service might be necessary for logging to resume, but doing so also clears some volatile system caches, which can impact other analysis steps. Finding it stopped without good reason is a red flag.
* **Permission Tampering (CACLS/ICACLS Bypass):** Attackers might alter the security permissions (ACLs) of the `C:\Windows\Prefetch` folder itself to prevent the System or SysMain service from writing new `.pf` files or updating existing ones. This can be done using commands like `cacls` or `icacls`. Check the folder's Security tab in its Properties. Evidence of recent permission changes (granting/denying write access) can often be found in the USN Journal (`$UsnJrnl`) by looking for `SECURITY_CHANGE` reason codes associated with the `Prefetch` directory path.
* **Hidden Prefetch Files:** Individual `.pf` files can be marked with the 'Hidden' attribute. Use `dir /ah C:\Windows\Prefetch` in an administrative CMD to reveal any hidden files within the directory.
* **Prefetch Clearing:** Users may simply delete the contents of the `C:\Windows\Prefetch` folder. Finding the folder empty or missing expected entries (like `.pf` files for `explorer.exe`, `AnyDesk.exe`, or the game itself) when the SysMain service is running and Prefetch is enabled in the registry is highly indicative of manual clearing. The **USN Journal (`$UsnJrnl`)** is the primary tool to detect this, as it will log numerous `FILE_DELETE` events corresponding to `.pf` filenames occurring around the time of the clearing.