Add files via upload

FileSystem.Mount.sql

@@ -0,0 +1,56 @@
+-- Microsoft.Windows.FileSystem
+--      NTFS,EXFAT,FAT Mount + Volume Info
+--      ProcessLoggingRegistry
+-- from C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db
+
+SELECT
+
+--Timestamp from db field
+json_extract(events_persisted.payload,'$.time') as 'UTC TimeStamp',
+
+-- Timestamp from json payload
+datetime((timestamp - 116444736000000000)/10000000, 'unixepoch','localtime') as 'Local TimeStamp',
+json_extract(events_persisted.payload,'$.ext.loc.tz') as 'TimeZome',
+json_extract(events_persisted.payload,'$.ext.utc.seq') as 'seq', 
+
+-- Event
+replace(events_persisted.full_event_name,'Microsoft.Windows.FileSystem.','') as 'Event',
+
+-- Mount info
+json_extract(events_persisted.payload,'$.data.mountStartTime') as 'mountStartTime', 
+json_extract(events_persisted.payload,'$.data.mountGuid') as 'mountGuid',
+json_extract(events_persisted.payload,'$.data.vendorId') as 'vendor',
+json_extract(events_persisted.payload,'$.data.productId') as 'productId',
+json_extract(events_persisted.payload,'$.data.diskId') as 'diskId',
+case json_extract(events_persisted.payload,'$.data.volumeFat32') 
+	when true then 'Yes'
+	end as 'volumeFat32',
+json_extract(events_persisted.payload,'$.data.volumeId') as 'volumeId',
+json_extract(events_persisted.payload,'$.data.volumeCreationTime') as 'volumeCreationTime', 
+
+-- only available on FAT/EXFAT Volumes	
+case json_extract(events_persisted.payload,'$.data.volumeMountedDirty') 
+	when true then 'Yes'
+	when false then 'No'
+	end as 'Dirty',
+case json_extract(events_persisted.payload,'$.data.volumeMountedReadOnly') 
+	when true then 'Yes'
+	when false then 'No'
+	end as 'ReadOnly',
+payload,
+json_extract(events_persisted.payload,'$.data.volumeFat32') as 'volumeFat32',
+json_extract(events_persisted.payload,'$.data.totalClusters') as 'totalClusters',
+json_extract(events_persisted.payload,'$.data.clusterSizeBytes') as 'clusterSize',
+-- from VolumeInfo
+json_extract(events_persisted.payload,'$.data.physicalSectorSizeBytes') as 'physicalSectorSizeBytes',
+json_extract(events_persisted.payload,'$.data.logicalSectorSizeBytes') as 'logicalSectorSizeBytes'
+-- json_extract(events_persisted.payload,'$.data.originalVolumeId') as 'originalVolumeId'
+
+from events_persisted
+where 
+events_persisted.full_event_name like 'Microsoft.Windows.FileSystem.%' and
+(events_persisted.full_event_name like '%Mount%' or 
+events_persisted.full_event_name like '%VolumeInfo' )
+
+ -- Sort by event date dscending (newest first)
+order by cast(events_persisted.timestamp as integer) desc

ProcessLogging.sql

@@ -1,4 +1,4 @@
--- Diagnostic DMicrosoft.Windows.Compatibility.Encapsulation
+-- Diagnostic Microsoft.Windows.Compatibility.Encapsulation
 --      ProcessLoggingFile
 --      ProcessLoggingRegistry
 -- from C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db
@@ -13,7 +13,7 @@ datetime((timestamp - 116444736000000000)/10000000, 'unixepoch','localtime') as
 json_extract(events_persisted.payload,'$.ext.loc.tz') as 'TimeZome',
 json_extract(events_persisted.payload,'$.ext.utc.seq') as 'seq', 
 
--- Evrnt
+-- Event
 replace( events_persisted.full_event_name,'Microsoft.Windows.Compatibility.Encapsulation.','') as 'Event',
 
 json_extract(events_persisted.payload,'$.data.ExeName') as 'ExeName',
@@ -21,7 +21,6 @@ json_extract(events_persisted.payload,'$.data.IsInstaller') as 'IsInstaller',
 upper(json_extract(events_persisted.payload,'$.data.ProgramId')) as 'ProgramId',
 json_extract(events_persisted.payload,'$.data.pathOps') as 'pathOps',
 
-
 -- Local, MS or AAD account 
 trim(json_extract(events_persisted.payload,'$.ext.user.localId'),'m:') as 'UserId',
 sid as 'User SID',