Published Apr 16, 2026, 1:00 PM EDT
Afam's experience in tech publishing dates back to 2018, when he worked for Make Tech Easier. Over the years, he has built a reputation for publishing high-quality guides, reviews, tips, and explainer articles, covering Windows, Linux, and open source tools. His work has been featured on top websites, including Technical Ustad, Windows Report, Guiding Tech, Alphr, and Next of Windows.
He holds a first degree in Computer Science and is a strong advocate for data privacy and security, with several tips, videos, and tutorials on the subject published on the Fuzo Tech YouTube channel.
When he is not working, he loves to spend time with his family, cycling, or tending to his garden.
While using your computer, you may suddenly hear the fan buzz a bit louder or notice a sudden CPU usage spike without you starting any new tasks. On a phone, it's easier to see what launched and when, but Windows doesn't give you a clean activity history.
However, this doesn't mean that data about what runs isn't on your computer. Windows actually records and stores executable activity across different parts of the device. If you know where to look, you can piece this data together, and that information becomes very useful in managing or troubleshooting your computer.
Windows already keeps a record of what runs
The data exists — it’s just scattered across the system
Application activity is tied to performance optimization, security logging, and compatibility tracking; that’s why Windows records it.
However, as far as the OS is concerned, there are just three main sources for this information. The first is Prefetch, which logs execution with the aim of speeding up future launches. The next is Event Viewer, which may be useful for seeing processes that can trigger crashes, but more importantly, as long as auditing is enabled, it logs process creation events. Lastly, we have AmCache, which acts as a repository for metadata for applications that have run or been present.
These three services separately capture segments of app activity on your computer. So, individually, you don't always get the complete timeline. However, Prefetch is the most accessible starting point because you don't need any extra configuration to access the data that is just waiting to be read.
Prefetch is the closest thing to an app activity history
It logs what runs as a side effect of speeding things up
At app launch, the operating system tracks the files it uses so that they can be preloaded on the next launch. This is a smart way of optimizing speed. However, it also has the side effect of recording every execution.
All execution records are stored in the path: C:\Windows\Prefetch. Running an application makes Windows create a .pf file. This file is named after the executable and includes a hash that is generated from the location the app was launched from. This means one program may have several .pf files if they are run from different locations.
However, these files hold a lot of interesting details. First, there's an executable name, full path, run count, last launch time, and (on newer Windows) up to eight recent timestamps.
What makes this log more valuable on a modern system is that it holds about 1,024 Prefetch entries before they are overwritten. This is a decent activity range for most use cases. Better still, even after uninstalling an app, these entries are not simply deleted automatically. They remain a solid footprint from past activity.
On modern systems running on SSDs, the Prefetch feature may be disabled as it does not bring a huge performance advantage. So if the folder is empty, it means Prefetch is disabled or not in use. Luckily, there are other options.
Related
This Windows command told me exactly what caused my PC to crash
Stop guessing BSOD causes — this method reveals the real culprit fast.
WinPrefetchView makes raw system data easy to interpret
Prefetch files are binary and not human-readable (you can't open them in a text editor). This is where a simple tool like WinPrefetchView from NirSoft comes in handy. This tool officially supports Windows XP through Windows 10, but it also works on Windows 11. All this tool does is read static system data.
Once you download and extract it, it automatically scans your computer and populates its interface with .pf files. It shows the executable name as well as the number of times it ran, along with run times and when it was first recorded. It also shows the location of the program on your disk.
I like to sort by recent activity to build a timeline and make more sense of the data. Also, under the Options tab, you can use the Hide Programs Under Windows Folder option to remove system-level processes from your view.
Column
What it tells you
What to look for
Run Counter
How often the app has run
High counts for unfamiliar apps
Last Run Time
Most recent execution
Activity at odd hours
Created Time
First recorded execution
Recently introduced apps
File Path
Where the app is located
Temporary folders or unusual directories
As you sift through the data, these key points are important to make sense of it:
- Unknown executable names are worth a closer look.
- High run counts can indicate background activity.
- File paths pointing to temporary folders deserve attention.
- Timestamps that don’t match your usage patterns can reveal automation.
While interpreting the data, remember that it only shows what ran and not necessarily what it did. So, try not to over-interpret what you see.
WinPrefetchView
WinPrefetchView is a small, portable NirSoft utility that reads and displays the contents of Windows Prefetch files (.pf).
When Prefetch doesn’t show anything
If you don't have any data stored in your computer's Prefetch, you have other options. The first is AmCache, located in the path: C:\Windows\AppCompat\Programs\Amcache.hve. In this file, you can see metadata for apps that run, including the paths and identifiers. While it may be more detailed than Prefetch in some ways, it doesn't confirm execution with certainty all the time.
In the Event Viewer, processes tied to Event ID 4688 often have details on what ran and when. However, this isn't logged by default on Windows, and you would need to first enable process auditing manually, making it an option more suited for advanced users.
When Prefetch contains data, it's the easiest go-to; AmCache can fill the gap when Prefetch is empty.