Skip to content

Commit d713f18

Browse files
kacos2000kacos2000
authored
Add files via upload
1 parent e58f5f3 commit d713f18

7 files changed

+31
-15
lines changed

AppInteractivity.sql

+7-5
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@
55
-- from C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db
66
-- For more info visit https://github.com/rathbuna/EventTranscript.db-Research
77
-- https://docs.microsoft.com/en-us/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields
8-
-- https://arxiv.org/ftp/arxiv/papers/2002/2002.12506.pdf
98
-- and "Forensic Quick Wins With EventTranscript.DB: Win32kTraceLogging" at
109
-- https://www.kroll.com/en/insights/publications/cyber/forensically-unpacking-eventtranscript/forensic-quick-wins-with-eventtranscript
1110

@@ -17,11 +16,11 @@ json_extract(events_persisted.payload,'$.time') as 'UTC TimeStamp',
1716
-- Timestamp from json payload
1817
datetime((timestamp - 116444736000000000)/10000000, 'unixepoch','localtime') as 'Local TimeStamp',
1918
json_extract(events_persisted.payload,'$.ext.loc.tz') as 'TimeZome',
20-
json_extract(events_persisted.payload,'$.ext.utc.seq') as 'seq', --
19+
json_extract(events_persisted.payload,'$.ext.utc.seq') as 'seq',
2120

2221
-- events
2322
json_extract(events_persisted.payload,'$.data.EventSequence') as 'EventSequence', -- AppInteractivity% specific
24-
json_extract(events_persisted.payload,'$.data.AggregationStartTime') as 'AggregationStartTime', -- Start date and time of AppInteractivity aggregation
23+
json_extract(events_persisted.payload,'$.data.AggregationStartTime') as 'AggregationStartTime (UTC)', -- Start date and time of AppInteractivity aggregation
2524
time(json_extract(events_persisted.payload,'$.data.AggregationDurationMS'),'unixepoch') as 'AggregationDuration', -- Actual duration of aggregation period (in milliseconds)
2625
-- App name
2726
case when substr(json_extract(events_persisted.payload,'$.data.AppId'),1,1) is 'W' -- Windows Application x32/x64
@@ -92,13 +91,16 @@ trim(json_extract(events_persisted.payload,'$.ext.user.localId'),'m:') as 'UserI
9291
sid as 'User SID',
9392

9493

94+
tag_descriptions.tag_name, -- where you'll see these events in MS Diagnostic Data Viewer app
9595
logging_binary_name
9696

9797

9898
from events_persisted
99+
join event_tags on events_persisted.full_event_name_hash = event_tags.full_event_name_hash
100+
join tag_descriptions on event_tags.tag_id = tag_descriptions.tag_id
99101
where
100102
-- include events:
101103
events_persisted.full_event_name in ('Win32kTraceLogging.AppInteractivity','Win32kTraceLogging.AppInteractivitySummary' )
102104

103-
-- Sort by event sequence number descending (newest first)
104-
order by cast(seq as integer) desc
105+
-- Sort by event datedescending (newest first)
106+
order by cast(events_persisted.timestamp as integer) desc

Census.sql

+3-2
Original file line numberDiff line numberDiff line change
@@ -38,5 +38,6 @@ where
3838
events_persisted.full_event_name like 'Census%'
3939

4040

41-
-- Sort by event sequence number descending (newest first)
42-
order by cast(seq as integer) desc
41+
42+
-- Sort by event datedescending (newest first)
43+
order by cast(events_persisted.timestamp as integer) desc

ClientRunningTime.sql

+2-2
Original file line numberDiff line numberDiff line change
@@ -68,5 +68,5 @@ json_extract(events_persisted.payload,'$.data.InterfaceId') as 'Interface Id'
6868
from events_persisted
6969
where events_persisted.full_event_name like '%DxgKrnlTelemetry.ClientRunningTime%'
7070

71-
-- Sort by event sequence number descending (newest first)
72-
order by cast(seq as integer) desc
71+
-- Sort by event datedescending (newest first)
72+
order by cast(events_persisted.timestamp as integer) desc

EventTranscript_GetEventNameList.sql

+9
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
-- List unigue Event Names from
2+
-- from C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db
3+
4+
SELECT
5+
6+
distinct events_persisted.full_event_name
7+
8+
from events_persisted
9+
order by events_persisted.full_event_name asc

Microsoft.WebBrowser.sql

+2-3
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,5 @@ tag_descriptions.tag_name not like '%Device Connectivity and Configuration%' and
6767
tag_descriptions.tag_name not like '%Performance%' )
6868

6969

70-
71-
-- Sort by event sequence number descending (newest first)
72-
order by cast(seq as integer) desc
70+
-- Sort by event datedescending (newest first)
71+
order by cast(events_persisted.timestamp as integer) desc

MobilityExperience.YourPhone.sql

+4-1
Original file line numberDiff line numberDiff line change
@@ -52,4 +52,7 @@ and events_persisted.full_event_name not like 'Microsoft.Windows.MobilityExperie
5252
and events_persisted.full_event_name not like 'Microsoft.Windows.MobilityExperience.YourPhone.Cdm%' -- Content delivery diagnostics
5353
and events_persisted.full_event_name not like 'Microsoft.Windows.MobilityExperience.YourPhone.FullTrustServerCreateFactory%' -- Before sent message
5454
and events_persisted.full_event_name not like 'Microsoft.Windows.MobilityExperience.YourPhone.AppServiceCanceled%' -- After sent message
55-
order by events_persisted.timestamp desc
55+
56+
57+
-- Sort by event datedescending (newest first)
58+
order by cast(events_persisted.timestamp as integer) desc

NetworkingTriage.sql

+4-2
Original file line numberDiff line numberDiff line change
@@ -123,5 +123,7 @@ and events_persisted.full_event_name not like '%MediaConnected%'
123123
and events_persisted.full_event_name not like '%DhcpSetEventInRenewState%'
124124
and events_persisted.full_event_name not like '%SolicitAttempt%'
125125
and events_persisted.full_event_name not like '%InterfaceCapabilityChangedEvent%'
126-
-- Sort by date descending (newest first)
127-
order by events_persisted.timestamp desc
126+
127+
128+
-- Sort by event datedescending (newest first)
129+
order by cast(events_persisted.timestamp as integer) desc

0 commit comments

Comments
 (0)