Full path to the file?

[Xhonor]

Hello. Already asked a question on StackOverflow https://stackoverflow.com/questions/54737510/prefetch-parsing-unknown-volume-disk?noredirect=1#comment96261324_54737510 , but could not get an answer. Can you help me with this question? How to get the full path to the file that is used in Prefetch?

[EricZimmerman]

hi

ill answer there too, but:

It should be in mounted devices and mount points. It's the storage volume guid

the full path to the file executed is in the Files referenced collection.

dump a pf file with pecmd from the command line then look for the file entry in yellow

thats the full path

[Xhonor]

I tried, but he gives me an unknown Volume ID. There is no such thing in the lists of my disks.

[EricZimmerman]

which entry in mountpoints is for the c drive? perhaps the guid is rearranged?

could the data you are seeing be from a previous windows install that had older GUIDs?

how old is the prefetch? has a windows10 update happened since then?

do some testing on a clean install. run an exe from somewhere, look at prefetch guid, and match it up to what is in current moutpoints.

its hard to be more specific without more details

[Xhonor]

Noup, i start Cinema 4d - 4 hours ago... Try in another PC.

[EricZimmerman]

try this

PS C:\WINDOWS\system32> diskpart

Microsoft DiskPart version 10.0.17763.1

Copyright (C) Microsoft Corporation. On computer: DESKTOP-9L1HKC9

DISKPART> list disk

Disk ### Status Size Free Dyn Gpt

---

Disk 0 Online 476 GB 2048 KB *

DISKPART> select disk 0

Disk 0 is now the selected disk.

DISKPART> uniqueid disk

Disk ID: {5F589409-D1DC-4E18-A0D9-5A1593F78A08}

what does your C drive disk show?

[EricZimmerman]

also you may need to pull the GUID out of the binary data in mounteddevices

please let me know what you find.

[Xhonor]

[Xhonor]

Disk ID: C9514D29

[Xhonor]

Another disk {1A672A06-D975-42B9-A5FC-19805A188576}

[Xhonor]

Same problem in another PC. Unknown Volume.

[EricZimmerman]

you can see the full path to the exe. that should only exist on a single drive in your case with a reference to program files, etc. that should help to a degree to determine which volume its on

[EricZimmerman]

The volume id is two parts

Creation time of the volume as a 64 bit filetime, as hex, in big endian format The volume serial number

It's not found anywhere else that I know of.

[jasonexe2000]

I have the same issue. Output is not in the correct GUID format.

[EricZimmerman]

You are incorrect assuming it's a guid.

The format is correct. It was reversed after the initial comments long ago.

This is not an issue. It's just the way it is.