What is Superfetch?

Superfetch is a performance optimizer that was introduced with Windows Vista. Working together with the memory manager service, it examines memory usage patterns over time and decides the most appropriate memory content at any time of the day.

In general, it is an improved version of Prefetch.

If the computer is using a fast SSD, which is measured by the Disk Score of the Windows Experience Index, the Windows operating system disables the Superfetch, ReadyBoot, and ReadyBoost features.

To measure this score, you can start CMD as an administrator and use the winsat formal command.

After the execution of this command, we can see the disk score by going to C:\Windows\Performance\WinSAT\DataStore and opening the “xml” file with “Disk.Assesment” in its name and looking at the DiskScore element in the WinSPR section of the WinSAT section.

Enable/Disable Superfetch

If Superfetch is turned off, we can open it by changing a Registry key.

We can enable Superfetch by changing the EnableSuperfetch key in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters.

1. If you set this key to 0, Superfetch will turn off.

2. If you give this key a value of 1, Superfetch is only turned on for boot.

3. If you give this key a value of 2, Superfetch will only be turned on for apps.

4. If you give this key a value of 3, Superfetch will open for both boot and applications.

It is also possible to turn off Superfetch via "services.msc".

After starting “services.msc”, we find the SysMain/Fast Fetch service, select the start type of the service as “Disabled” and press the “Stop” button below.

Superfetch File Formats

Superfetch files are located in the same directory as prefetch files and their filenames start with “Ag” and their extensions are “db” or “db.trx”.

The file name format is generally as follows:

AgCx_SC*.db.trx
AgAppLaunch.db
AgCx_SC*.db
AgGlFaultHistory.db
AgGlFgAppHistory.db
AgGlGlobalHistory.db
AgGlUAD_%SID%.db
AgGlUAD_P_%SID%.db
AgRobust.db

Reviewing Superfetch

The purpose of Superfetchin coming to Windows is performance review, so it keeps track of memory pages used for a long time and makes a better decision about which program should be loaded into memory and when.

Our purpose of Superfetchi analysis is to perform forensic analysis by examining files that are not normally found on computers.

Although the structure of Superfetchin has not been completely resolved, some of the information it holds are as follows:

• Name of executable

• How many times it was run

• How many times it runs in the foreground

• Files that support its operation (DLL, zip, file, database etc.)

• Accessed disks

• Absolute path information of files and disks that the file uses while working

• Time range of app activity

• Time stamps

We can use NirSoft's SuperFetchView tool to examine Superfetchi.

We download the tool from NirSoft's website, extract the exe file and start it as administrator.

After running the application, we give the db file that we want to examine on the screen that comes up. If you want to examine the Superfetch files on your own computer, you can use the default file location.

If you want to see only deleted and/or missing files, you can also tick the box below.

After entering the file location in the window above and pressing the "OK" button, we wait for the file to be analyzed by the program.

After the program analyzes the files, we can examine the records one by one, as you can see in the photo below.