SVCHOST.EXE in Windows\Prefetch???

  • Thread starter Thread starter Chuck Dreier
  • Start date Start date
C

Chuck Dreier

I've found that I have not only svchost.exe in my System32, but also a
'capitalized SVCHOST-3530F672.pf in my Windows\Prefetch (it's 90 kb in
size). Somewhere I read that this is not a legitimate file and should be
deleted. However, before I do so, would someone confirm and explain about
this file. Thanks. Also, I've been told that I can delete the contents of
the prefetch folder and that it will simply rebuild itself. True or not?
Thanks.......
 
Chuck said:
I've found that I have not only svchost.exe in my System32, but also a
'capitalized SVCHOST-3530F672.pf in my Windows\Prefetch (it's 90 kb in
size). Somewhere I read that this is not a legitimate file and
should be deleted. However, before I do so, would someone confirm
and explain about this file. Thanks. Also, I've been told that I
can delete the contents of the prefetch folder and that it will
simply rebuild itself. True or not? Thanks.......
Click to expand...

I have the same file in the same location. XP Pro, SP2+, IE7. I looked in
it, and it's contents include a lot of device info as one might expect in a
prefetch (.pf or .pf_) file.

There's a huge number of posts online questioning it on forums but no one I
saw there was definitive; all I saw were a lot of guesses, most of the
irrelevant to the problem because they were negelecting the .PF part of the
filename.

One thing to notice is that this is e .PF file, NOT a .EXE. But, that said,
I've no idea why the .EXE is part of the filename.

IMO, it' s a legitimate file. It's coincidental, but I just ran updated AV
and 4 spywares yesterday on my system and none reported finding anything.
That's not to say it's harmless though, especially if it's something new.
Malware loves to pose as legit filenames.

Personally, I'm going to rename it to put "OLD..." into the filename and see
what happens; I suspect it'll just create another one eventually when the
right app runs. It IS true that you're supposedly able to delete all the
prefetch files, and I've done that before without incident. But everything
will just be recreated upon demand as the pc gets used, so it's not proof
you'd be getting rid of anything bad - whatever it's for is located
elsewhere on the hard drive.
The only suspicious thing going on with my system is I'm getting
occasional 'net requests for a port on my LAN system of 192.168.1.47, which
is NOT an assigned address on my LAN. As a result my firewall catches it
and asks for permission to connect, which I deny. I don't just create a
rule because I want the reminder that it's happening and will troubleshoot
it sometime; maybe now is a good time :-).

So, watch out for people mistaking the .PF for being an EXE; it's the PF you
have to be looking for.
If I figure out anything I can reference solidly and with confidence,
I'll post back.

HTH
Pop`
 
..pf files are Prefetch (also called Scenario) Files.

<quote>
Prefetch files are essentially a resource list. Any time a program is
executed, Windows XP will attempt to find a pre-existing prefetch file, and
if it's available, it will use it to make the application load up faster.
The file will also be updated after it is accessed, so that the more an
application is used, the bigger the drop in loading time (to a point). If
the application doesn't already have an associated prefetch file, Windows XP
will create one. Those files are stored in the %windir%\prefetch directory.
One important note is that the process depends on the Task Scheduler
service. If the Task Scheduler service isn't running, the prefetch mechanism
isn't used and the files won't be read or updated.
<quote>
from..
http://www.filext.com/detaillist.php?extdetail=pf
Also, I've been told that I can delete the contents
of the prefetch folder and that it will simply rebuild itself. True or
not?
Click to expand...

As long as prefetch is working and you do NOT delete the
%windir%\prefetch\layout.ini file, the folder will get full again.
Sometimes the layout.ini file will be recreated automatically and sometimes
it does not get recreated. I have no idea why.

rundll32.exe advapi32.dll,ProcessIdleTasks will usually recreate the
layout.ini file if it has been deleted from %windir%\prefetch.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
dump the prefetch contents.



(e-mail address removed)



I've found that I have not only svchost.exe in my System32, but also a
'capitalized SVCHOST-3530F672.pf in my Windows\Prefetch (it's 90 kb in
size). Somewhere I read that this is not a legitimate file and should be
deleted. However, before I do so, would someone confirm and explain about
this file. Thanks. Also, I've been told that I can delete the contents of
the prefetch folder and that it will simply rebuild itself. True or not?
Thanks.......
 
Dump the HTML.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
learn how to configure your system to display post in the manner of your choice.



(e-mail address removed)



Dump the HTML.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Back
Top