drop registry export and system evtx csv · detect superfetch sysmain service disabled · identify prefetch globally disabled at the service level · surface service-level prefetch suppression · runs locally
drop registry export and system evtx csv · local only
heuristic screener · vendor schema varies · not definitive proof