• Disabled Prefetch, but still seems to be fetching

    Author
    Topic
    #2147144

    Okay, I know that most people with SSD’s have disabled the SysMain service (Prefetch and Superfetch.) But I have found that I get a little bit better performance with SysMain running. And I like the RAM compression feature. But I don’t want Prefetch running now that I have a new SSD. (Superfetch went away when Win10 saw that I had installed an SSD.)

    So I did the usual Regedit thing. I changed the DWORD for EnablePrefetcher to 0. That should have disabled Prefetch.

    But the Prefetch folder still populates whenever a new app runs.

    So then I opened a PowerShell and typed mmAgent.

    To my surprise, it reported that ApplicationLaunchPrefetching was set to True. (Even though disabled in the Registry. A clue?) I typed Disable-mmAgent -ApplicationLaunchPrefetching and now it shows False.

    Reboot.

    The Prefetch folder still populates.

    So then I opened AutoRuns and checked for SysMain. I found an entry for a Scheduled Task called ResPriStaticDbSyc. I unchecked that. Reboot. No difference.

    It’s hard to tell with an SSD. But it seems that the first run of programs takes a little longer than subsequent runs.

    At this point, I’m not asking if anyone knows how to disable Prefetch. I think I’ve done all that can be done. I think this is a bug. I am looking to see if anyone else has seen it.

    Win10 Home, 1903.

    Viewing 15 reply threads
    Author
    Replies
    • #2147998

      It’s hard to tell with an SSD. But it seems that the first run of programs takes a little longer than subsequent runs.

      That’s quite normal, Windows memory management doesn’t unload memory immediately a program closes, once memory pressure from other software increases, then it will unload but replace file data with links (Standby) and a proportion of that unloaded memory will likely be transferred to the page file (Paged out), or sometimes to a temp. page file if you’ve disabled paging.

      Several background maintenance tasks, like mapping SSD free space after Trim, will appear to be like prefetching. Study Resource Monitor to learn more, also RAMMap is very useful.
      prefetching

      3rd party software like browsers can also prefetch online data from links.

    • #2152824

      I know that most people with SSD’s have disabled the SysMain service (Prefetch and Superfetch.)

      I have an SSD, haven’t disabled SysMain service, have Prefetch folder which is empty.

    • #2152930

      Hi @Alex5723. Thanks for checking and the report.

      Interesting. That is the behavior I would expect after Win10 sees an SSD has been installed. (I presume that you did not manually go into the Registry or PowerShell to disable Prefetch?)

      In either case, the Prefetch folder shouldn’t populate when Prefetch is disabled.

      So apparently there is something unique with my Win10.

      (I have heavily NTLite’d it. So I’m not vanilla. But I can’t imagine what I could have removed that cause Prefetch to keep running. Or half run.)

    • #2152953

      And @alex5723 , did you install Win10 with the SSD already installed? Or did you do a change over from HDD to SDD like me? (I am thinking that perhaps some switch doesn’t get changed correctly in the Prefetch code in Win10 when one does a change to SSD.)

    • #2152987

      (I presume that you did not manually go into the Registry or PowerShell to disable Prefetch?)

      Sysmain in enabled on my 1903 Pro.

      • #2153213

        @Alex5723 Tnx. Yes, I know that you didn’t disable SysMain. But in mmAgent in PowerShell,  one can “fine tune” what SysMain does. So I was just confirming that you hadn’t manually turned off Prefetch from mmAgent. Since you haven’t tweaked it, that’s why I’m on my next hunt, as to whether changing from HDD to SSD in mid-stream is why my results are different from yours.

    • #2153157

      Now I am wondering if the /Prefetch folder is set to ReadOnly when SSD is detected? Like, maybe there’s a script that Windows runs during installation? That might explain why my Win10 is still writing to the /Prefetch directory after switching to SSD after installation.

      Anyone with an SSD for their OS drive want to check the attributes on /Prefetch for me?

      • #2153456

        Tell us exactly what to check and how and we’ll post.

        cheers, Paul

    • #2153527

      Right click on the Prefetch folder under Windows. At bottom of General Tab, will show whether Read Only or not.

      Interestingly, mine is showing Read Only! And yet, the folder is being written to!

      I don’t understand how that can be. Some super-user account?

    • #2153537

      This is getting stranger and stranger.

      When I first checked the Attribute on my Prefetch folder, the Properties box shows 0 files in the folder. Even tho the folder is populated with .pf files.

      So then I dropped to Safe Mode Command line, deleted all the files (which I shouldn’t have been able to do if the folder was ReadOnly). Then I checked the folder’s attributes. It was NOT showing as ReadOnly from Safe Mode.

      So I set the attribute to ReadOnly.

      Back to normal Windows. Prefetch is still populating.

      So then to the PowerShell to check the attribute of Prefetch.

      get-itemproperty -path windows\prefetch

      Returns d-r—

    • #2153605

      Anyone with an SSD for their OS drive want to check the attributes on /Prefetch for me?

      The folder is read only

    • #2153856

      It is read only, as is every other folder in Explorer. This is normal.

      The permissions are actually read / set on the Security tab.

      You must have modified the permissions on the Prefetch folder because you can’t normally view its contents in Explorer – Windows does this to all system folders.

      cheers, Paul

      • This reply was modified 5 years, 3 months ago by Paul T.
    • #2153955

      Well, I finally got the Prefetch folder to stop populating. I had to take a big hammer to it.

      But first, since I seem to be the only one with this problem, and since I have removed components from Win10 using NTLite, this problem might be unique to me. For example, I discovered last night that I can’t run PowerRun because I removed Secondary Log On. And from what I just had to do to stop my Prefetch folder from populating, it might be that SecLogOn is a necessary component for Windows to set folder permission correctly here.

      (Or again, as I said initially, maybe Windows doesn’t change the Prefetch folder permissions correctly when someone switches from an HDD to an SSD after an install of Win10.)

      So here’s what I did. In my User account, I ran Take Ownership to take ownership of the Prefetch folder. Then I opened the Properties tab > Security.

      Then I Edited the Permissions. I clicked “Deny” Write Permission and Applied. At first it didn’t take. (Error message.) But after three tries, it took.

      Then I had to do the same thing from Administrator account.

      Somewhere along the way a third User name – Administrators – appeared in the list of users. I pounded on them 3 times to deny Write permission, and finally it took.

      I noticed that the contents of the Prefetch folder were different from User to Admin, which I suppose makes sense. But that also implies that the Prefetch folder is more like a symbolic link than a regular folder. Except that I don’t see an indicator that it’s a symlink folder.

      I still have some pf files in the folder, from before I finally stopped Windows from writing to it. I will go in with a Live Linux Distro and remove the files from Linux. (It will be interesting to see if that leaves any files in either the Admin or User flavor of the Prefetch folder in Windows.)

    • #2153979

      Well, this might be the end of the story.

      I was able to hack Secondary Log On service back into Win10.

      After I did that, the SysMain service is no longer running, even tho set for Automatic start. Nor can I start it. (Gives me an error.)

      I presume that it won’t start because of my new SSD for the OS. And that, now that SecLogOn is working, Windows is now able to change switches internally to reflect this.

      (This all started because I wanted to enable the RAM Compression feature of SysMain. (Even tho I have 16 GB RAM.) Although it never compressed my memory like it used to when I had 8 GB and a HDD.)

      Thanks for everyone’s help.

    • #2167375

      Denying Windows permissions on folders is asking for trouble IMO. Windows is likely to crash / fail to start services / etc.

      Having an SSD is not relevant to services failing to start, it’s just a disk.

      cheers, Paul

    • #2171316

      Is Paul T. the famous Paul Th? If so, then I’m honored and feel like I should tell the End of the Story.

      I did what I should have done before posting in this forum. I installed a fresh 1909 (downloaded from MS in December, without any KB’s) in a VM and experimented with various settings of Prefetch and Superfetch to see how/if these settings affected the Prefetch folder. Since my VM doesn’t see the SDD, I also Refreshed my 1903 Desktop (which has a SATA SSD) with 1909 Home, restoring it to an almost vanilla state. (Some reg tweaks for Explorer, etc. persisted thru the Refresh.) In the latter case, only Prefetch settings are available, because Superfetch is disabled due to my SSD.

      The bottom line is that, in my tests, the Prefetch folder always populates even if I have turned off Prefetching (from both the Registry and from mmAgent). The only way it does not populate is if I disable the SysMain service entirely.

      For example, with SysMain running in Services, but showing “False” for all entries in mmAgent (PowerShell), Prefetch is still populating.

      However – perhaps a clue – setting MaxOperatingAPIFiles to 1 causes the Prefetch folder to purge itself periodically (every few minutes), keeping the .pf count close to one.

      I am at a loss to understand how the Prefetch folder does not populate for some people here. (Eventhough not populating is what I had expected with parameters for Prefetch set to 0 or False (Registry and Powershell respectively.))

      If this is not a bug in Win10, then the only hypothesis that I can offer is that maybe the people who don’t see anything written to their Prefetch folder are running faster NVMe SSD’s (or Optane caching) and in those cases, perhaps Windows doesn’t use Prefetch files at all.

    • #2341292

      I know this is an old thread, but I thought I’d just chip in with an opinion.

      The fact that the Prefetch folder still populates despite being disabled in the Registry, I don’t think is a bug, I think it’s intended behaviour.

      The Prefetch folder is a goldmine for computer forensics investigators, and helps with ‘scene of habitation’ analysis – i.e. what someone is doing with a computer. It was easy to turn off in XP – the Registry change had the desired effect and the folder would no longer populate.

      Fast forward to Win10 and the folder stubbornly refuses *not* to populate despite Prefetch being ‘turned off’. Reading between the lines, I suspect this ‘functionality’ is there to keep law enforcement happy.

    • #2390376

      I think the advent of SysMain is more likely to be the reason configuring Prefetch in the registry does nothing. It looks like the developers switched all the config settings to the sysmain service and didnt bother to get rid of the prefetch registry key.

       

      It is also possible that they kept it there because the superfetch still produces prefetch files for all the forensics tools that have been written to parse it.

      Stopping the sysmain service will stop the prefetch directory from populating.

    Viewing 15 reply threads
    Reply To: Disabled Prefetch, but still seems to be fetching

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: