Prefetch Statement (Powershell 4.0) for local files

With PowerShell 4.0 there are now cmdlets that give the file hash algorithms so I decided for my very first PowerShell script I would try and come up with a way to create a prefetch statement block for files.

Note: Since this is my first script, I’m not sure how accurate or useful this will be outside of my organization, but with the knowledgeable community we have here, I figured someone could probably find some use for it or even make it better! (You will need to tweak the URL portion to fit your environment)

Link to file: https://onedrive.live.com/redir?resid=3DD2FF7EE7C766A3!1728&authkey=!AJYPEo60SfsbFOc&ithint=file%2Cps1

Usage: When you run the script you should get an input box where you enter the full path to your file name (without quotes) and the script will output a file named “prefetch.txt” to the directory that you ran the script from.

Text File Output Example:
File Path: C:\Con_Worksheet.pdf
SHA1: 5ECA3E18ABC9EF67E00D1868B330D497482A6650
SHA256: 6017D552AF20FAD7311123887B6E06B73A47263E267FD515CA7F395AFD79F3C1
Size: 14233

######################################### Prefetch Statement Below ###############################################################*
begin prefetch block add prefetch item name=5ECA3E18ABC9EF67E00D1868B330D497482A6650 sha1=5ECA3E18ABC9EF67E00D1868B330D497482A6650 Size=14233 url=SWDProtocol://127.0.0.1:52311/Uploads/5ECA3E18ABC9EF67E00D1868B330D497482A6650/Con_Worksheet.pdf.bfswd
sha256=6017D552AF20FAD7311123887B6E06B73A47263E267FD515CA7F395AFD79F3C1
end prefetch block

I would recommend sharing this script through https://github.com/ so that others can contribute to it and improve it over time.

I went ahead and created a GitHub account. I think I did this right

Yes, that is correct. Thanks!

The link to the raw file is: https://raw.githubusercontent.com/peterj04/PowerShell-MakePrefetch/master/MakePrefetch.ps1

I have updated the my code to make a functional GUI that outputs the information in the form itself.
The only caveat is that this requires PowerShell 4.0 or higher

There’s still more I’d like to add, but as I said before, I’m not sure how useful this really would be to anyone else.

Link to the raw data:
Make Pretech Version 2.0

Here is a screenshot:

There are many similar tools and ways to generate a prefetch, but it doesn’t hurt to have one in PowerShell as well. I make prefetches a lot, so every option to help is useful.

Here is a bookmarklet I created that will turn a VirusTotal analysis page into a prefetch:

• http://marklets.com/VirusTotal%20to%20Prefetch.aspx
• https://gist.github.com/jgstew/ef36d020de4614673ba8

Here is a tool that helps you generate prefetches by right clicking on a file in windows:

• BF File Properties: https://bigfix.me/projects/details/7

Here is an option using relevance that can be used in the fixlet debugger:

• https://bigfix.me/relevance/details/2998744

Similarly, this will do the same, but create a prefetch block instead:

• https://bigfix.me/relevance/details/2998745

Similarly, this option will take a normal prefetch statement and turn it into a prefetch block:

• https://bigfix.me/relevance/details/2999075

A python script to make a prefetch statement: https://github.com/bigfix/make-prefetch

I have a new and improved “VirusTotal to Prefetch” option here: http://marklets.com/BigFixPrefetch%20added%20to%20VirusTotal%20analysis%20table.aspx

I also have a new home for this code on GitHub: https://github.com/jgstew/tools/tree/master/JS/VirusTotal2Prefetch ( <-- screenshots)