Windows File Analyzer is a versatile PC forensics tool
Whether you’re worried about malware, or just need to find out what someone else is doing on a PC, logging any executables launched can tell you a lot.
Normally this involves installing some kind of monitoring application, like the Event Monitor Service we talked about last week, but if you’re trying to track PC usage without someone’s knowledge, that can be risky.
Active logging applications can only tell you what’s happened since they were installed, too, of course -- not much use if you’re trying to find out what’s been happening in the past few days.
Windows File Analyzer is a forensics tool which analyzes various logs to tell you more about how a PC has been used over the past few days, no installation or anything else required.
Be sure to launch the program as an administrator -- it doesn’t request elevation, and won’t work properly if you forget.
The opening interface is basic -- menu bar, blank work area -- but clicking the File menu lists all the main tools.
Click File > Analyze Prefetch and browse to \Windows\Prefetch, for example, and the program decodes your system prefetch files to display information about the programs you’ve been running. (Assuming prefetch is enabled, anyway -- if you have an SSD then it may be turned off.)
On our test system we saw the executable names, create/ written/ last accessed dates, file and path hashes, a run count (incorrect, for some reason) and more.
Clicking the "Written" column date sorted the list by the order the programs had been executed, and we were able to see the 98 executables our system had launched in the past four hours: programs we’d run, system applications (SearchProtocolHost.exe), background processes and more.
Exactly how far back in time this goes depends on your PC setup and usage, but you’ll probably have two or three days of significant detail, and if nothing else it’ll give you times when your system was on and being used.
If you need to go back further, clicking File > Analyze Shortcuts and pointing the program at a folder of shortcuts tells you more.
We tried this out on our desktop, and saw the file name for each shortcut, the path, and the dates each shortcut was created, written or last accessed. (There’s also the NetBIOS name and MAC address for the target, maybe handy if some of these are network drives.)
Elsewhere, there are tools to display the contents of various thumbnail databases, including Windows’ Thumbs.db, ACDSee’s *.fpt, Google Picasa’s *.db, FastStone Viewer’s fsviewer.db and HP Digital Imaging’s *.db or *.dat files.
Windows File Analyzer has been around for more than 10 years, and its age shows in places. Windows hasn’t used the thumbs.db format for a long time, Internet Explorer analysis is limited to Index.dat files (IE9 or earlier), even the "guidance" manual is dated 2005.
Bizarrely, you can’t directly save its reports, either -- there’s a Print option only.
Despite that, the program can give you plenty of information about PC activities, and -- if you’re using one of the supported applications -- the thumbnail database tools will probably justify the download all on their own.
But if it doesn’t work for you, try NirSoft’s similar LastActivityView instead.
Windows File Analyzer is a free application for Windows 2000 and later.