Fooling Windows Through Superfetch

Explore the intricacies of Windows Superfetch service and its implications for privacy and security in this 41-minute Black Hat conference talk. Delve into the inner workings of Superfetch, a Windows service designed to enhance user experience by predicting and preloading frequently used applications and files. Discover how this seemingly helpful feature creates a detailed record of user activity, potentially exposing sensitive information to forensic analysis. Learn about the various components of Superfetch, including scenario files, database structures, and caching mechanisms. Examine the privacy concerns raised by this service and understand how it can be exploited by malicious actors or government agencies. Follow the presenters as they outline a roadmap for manipulating Superfetch, offering insights into both the risks and potential countermeasures. Gain valuable knowledge about often-overlooked aspects of Windows system behavior and their impact on digital forensics and user privacy.

Intro
The service Sys Main
Optimizing the boot
Mechanism memory paging
Mechanism reducing memory operations
Agent Context (AgCx)
Types of Superfetch tasks
Database files: generalities
Database reading process
Scenario files: generalities
Scenario files: construction
Scenario files: names
Scenario files: content
The cache files
What about the content of the file?
Exploit the scenarios
The roadmap to fool SysMain
The solution