Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
Get started Vitals Queries Policies Software OS settings Data tables

Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

macOS Apple

Linux Linux

Windows Windows

Chrome ChromeOS

appcompat_shims arp_cache authenticode autoexec azure_instance_metadata azure_instance_tags background_activities_moderator battery bitlocker_info carbon_black_info carves certificates chassis_info chocolatey_packages chrome_extension_content_scripts chrome_extensions cis_audit connectivity cpu_info cpuid cryptoinfo curl curl_certificate default_environment disk_info dns_cache drivers ec2_instance_metadata ec2_instance_tags etc_hosts etc_protocols etc_services file file_lines firefox_addons firefox_preferences fleetd_logs google_chrome_profiles groups hash hvci_status ie_extensions intel_me_info interface_addresses interface_details kernel_info kva_speculative_info listening_ports logged_in_users logical_drives logon_sessions mdm_bridge memory_devices npm_packages ntdomains ntfs_acl_permissions ntfs_journal_events evented tableoffice_mru orbit_info os_version osquery_events osquery_extensions osquery_flags osquery_info osquery_packs osquery_registry osquery_schedule parse_ini parse_json parse_jsonl parse_xml patches physical_disk_performance pipes platform_info powershell_events evented tableprefetch process_etw_events evented tableprocess_memory_map process_open_sockets processes programs puppet_info puppet_logs puppet_state python_packages registry routes scheduled_tasks secureboot security_profile_info services shared_resources shellbags shimcache sntp_request ssh_configs startup_items system_info time tpm_info uptime user_groups user_ssh_keys userassist users video_info vscode_extensions winbaseobj windows_crashes windows_eventlog windows_events evented tablewindows_firewall_rules windows_optional_features windows_search windows_security_center windows_security_products windows_update_history windows_updates wmi_bios_info wmi_cli_event_consumers wmi_event_filters wmi_filter_consumer_binding wmi_script_event_consumers yara ycloud_instance_metadata

prefetch

click to open the table of contents
Windows logo

prefetch

Prefetch files show metadata related to file execution.

Column Type Description
accessed_directories text Directories accessed by application within ten seconds of launch.
accessed_directories_count integer Number of directories accessed.
accessed_files text Files accessed by application within ten seconds of launch.
accessed_files_count integer Number of files accessed.
filename text Executable filename.
hash text Prefetch CRC hash.
last_run_time integer Most recent time application was run.
other_run_times text Other execution times in prefetch file.
path text Prefetch file path.
run_count integer Number of times the application has been run.
size integer Application file size.
volume_creation text Volume creation time.
volume_serial text Volume serial number.

Example

select * from prefetch;
Edit page

Questions?

Ask us anything
Fleet logo
Multi platform Device management Orchestration Software management Integrations Pricing
Documentation Support Docs API Release notes Get your license
Company About News Jobs Logos/artwork Why open source?
ISO 27001 coming soon a small checkmarkSOC2 Type 2 Creative Commons Licence CC BY-SA 4.0
© 2025 Fleet Inc. Privacy
Slack logo GitHub logo LinkedIn logo X (Twitter) logo Youtube logo Mastadon logo