mirror of
https://github.com/kacos2000/Queries
synced 2024-11-16 06:12:50 +00:00
95 lines
5.1 KiB
MySQL
95 lines
5.1 KiB
MySQL
|
-- Diagnostic
|
||
|
|
-- Microsoft.Windows.Desktop.TextInput.TextServiceFramework
|
||
|
|
-- from C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db
|
||
|
|
|
||
|
|
SELECT
|
||
|
|
|
||
|
|
--Timestamp from db field
|
||
|
|
json_extract(events_persisted.payload,'$.time') as 'UTC TimeStamp',
|
||
|
|
|
||
|
|
-- Timestamp from json payload
|
||
|
|
datetime((timestamp - 116444736000000000)/10000000, 'unixepoch','localtime') as 'Local TimeStamp',
|
||
|
|
json_extract(events_persisted.payload,'$.ext.loc.tz') as 'TimeZome',
|
||
|
|
json_extract(events_persisted.payload,'$.ext.utc.seq') as 'seq',
|
||
|
|
|
||
|
|
-- Event
|
||
|
|
replace(events_persisted.full_event_name,'Microsoft.Windows.Desktop.TextInput.TextServiceFramework.InputSession','') as 'InputSession',
|
||
|
|
json_extract(events_persisted.payload,'$.data.applicationName') as 'applicationName',
|
||
|
|
json_extract(events_persisted.payload,'$.data.processId') as 'processId',
|
||
|
|
json_extract(events_persisted.payload,'$.data.staticFlags') as 'staticFlags',
|
||
|
|
|
||
|
|
-- InputScopeNameValue: Specifies a particular named input mode
|
||
|
|
-- Values list:
|
||
|
|
-- https://docs.microsoft.com/en-us/uwp/api/windows.ui.xaml.input.inputscopenamevalue?view=winrt-20348
|
||
|
|
case json_extract(events_persisted.payload,'$.data.inputScope')
|
||
|
|
when 0 then 'Default' -- No input scope is applied
|
||
|
|
when 1 then 'Url'
|
||
|
|
when 31 then 'Password'
|
||
|
|
when 50 then 'Search'
|
||
|
|
when 32 then 'TelephoneNumber'
|
||
|
|
when 57 then 'Text'
|
||
|
|
when 5 then 'EmailSmtpAddress' -- (?) Input scope is intended for working with a (SMTP) form e-mail address (accountname@host)
|
||
|
|
else json_extract(events_persisted.payload,'$.data.inputScope')
|
||
|
|
end as 'inputScope',
|
||
|
|
-- https://docs.microsoft.com/en-us/windows/win32/intl/language-identifiers
|
||
|
|
-- https://docs.microsoft.com/en-us/windows/win32/msi/localizing-the-error-and-actiontext-tables
|
||
|
|
json_extract(events_persisted.payload,'$.data.langId') as 'langId',
|
||
|
|
json_extract(events_persisted.payload,'$.data.insertedCharacterCount') as 'InsCharCount', -- nr of inserted characters
|
||
|
|
json_extract(events_persisted.payload,'$.data.keyCount') as 'keyCount', -- Pressed key count
|
||
|
|
json_extract(events_persisted.payload,'$.data.imeBackspaceCount') as 'BackspaceCount', -- backspace key press count
|
||
|
|
strftime('%H:%M:%f',json_extract(events_persisted.payload,'$.data.totalTimeMilliseconds')/1000.0, 'unixepoch') as 'totalTime',
|
||
|
|
|
||
|
|
-- Possible Conversion Mode Values
|
||
|
|
-- https://docs.microsoft.com/en-us/windows/win32/intl/ime-conversion-mode-values
|
||
|
|
json_extract(events_persisted.payload,'$.data.conversionMode') as 'conversionMode',
|
||
|
|
|
||
|
|
-- App Info
|
||
|
|
case substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1)
|
||
|
|
when 'U' then "UWP"
|
||
|
|
when 'W' then "Win"
|
||
|
|
else substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1)
|
||
|
|
end as 'App Type',
|
||
|
|
|
||
|
|
-- Application Name
|
||
|
|
case when substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1) is 'W' -- Windows Application x32/x64
|
||
|
|
then substr(json_extract(events_persisted.payload,'$.ext.app.id'),93)
|
||
|
|
else substr(json_extract(events_persisted.payload,'$.ext.app.id'),3)
|
||
|
|
end as 'App Name',
|
||
|
|
|
||
|
|
-- SHA1 Hash of the application that produced this event
|
||
|
|
case when substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1) is 'W' -- Windows Application x32/x64
|
||
|
|
then upper(substr(json_extract(events_persisted.payload,'$.ext.app.id'),52,40 ))
|
||
|
|
-- Same as the 'FileId' in Amcache.hve (Root\InventoryApplicationFile\)
|
||
|
|
end as 'AppId SHA1', -- (SHA1 Base16) checked & verified
|
||
|
|
|
||
|
|
-- ProgramId of the application that produced this event
|
||
|
|
case when substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1) is 'W' -- Windows Application x32/x64
|
||
|
|
then upper(substr(json_extract(events_persisted.payload,'$.ext.app.id'),3,44 ))
|
||
|
|
end as 'ProgramId', -- Same as the 'ProgramId' in Amcache.hve (Root\InventoryApplicationFile\)
|
||
|
|
|
||
|
|
-- Version of the application that produced this event
|
||
|
|
case when substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1) is 'W' -- Windows Application x32/x64
|
||
|
|
then substr(json_extract(events_persisted.payload,'$.ext.app.ver'),1,19 )
|
||
|
|
end as 'AppVersion Date', -- Same as the 'LinkDate' in Amcache.hve (Root\InventoryApplicationFile\)
|
||
|
|
|
||
|
|
case when substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1) is 'W' -- Windows Application x32/x64
|
||
|
|
then substr(json_extract(events_persisted.payload,'$.ext.app.ver'),21,(instr(substr(json_extract(events_persisted.payload,'$.ext.app.ver'),21),'!')-1) )
|
||
|
|
end as 'PE Header CheckSum', -- PE Header CheckSum variable size (4-6)
|
||
|
|
|
||
|
|
case when substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1) is 'W' -- Windows Application x32/x64
|
||
|
|
then substr(json_extract(events_persisted.payload,'$.ext.app.ver'),(instr(substr(json_extract(events_persisted.payload,'$.ext.app.ver'),22),'!')+22))
|
||
|
|
else json_extract(events_persisted.payload,'$.ext.app.ver')
|
||
|
|
end as 'Executable',
|
||
|
|
|
||
|
|
|
||
|
|
-- Local, MS or AAD account
|
||
|
|
trim(json_extract(events_persisted.payload,'$.ext.user.localId'),'m:') as 'UserId',
|
||
|
|
sid as 'User SID',
|
||
|
|
|
||
|
|
logging_binary_name
|
||
|
|
|
||
|
|
from events_persisted
|
||
|
|
where events_persisted.full_event_name like 'Microsoft.Windows.Desktop.TextInput.TextServiceFramework.%'
|
||
|
|
|
||
|
|
-- Sort by event date dscending (newest first)
|
||
|
|
order by cast(events_persisted.timestamp as integer) desc
|