diff --git a/AppStateChangeSummary.sql b/AppStateChangeSummary.sql
new file mode 100644
index 0000000..ecf061c
--- /dev/null
+++ b/AppStateChangeSummary.sql
@@ -0,0 +1,67 @@
+-- Diagnostic 
+--           KernelProcess.AppStateChangeSummary
+-- from C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db
+
+SELECT
+
+--Timestamp from db field
+json_extract(events_persisted.payload,'$.time') as 'UTC TimeStamp',
+
+-- Timestamp from json payload
+datetime((timestamp - 116444736000000000)/10000000, 'unixepoch','localtime') as 'Local TimeStamp',
+json_extract(events_persisted.payload,'$.ext.loc.tz') as 'TimeZome',
+json_extract(events_persisted.payload,'$.ext.utc.seq') as 'seq', 
+
+-- Event
+replace( events_persisted.full_event_name,'KernelProcess.AppStateChangeSummary','') as 'Event',
+
+-- Counters
+json_extract(events_persisted.payload,'$.data.LaunchCount') as 'LaunchCount',
+json_extract(events_persisted.payload,'$.data.SuspendCount') as 'SuspendCount',
+json_extract(events_persisted.payload,'$.data.ResumeCount') as 'ResumeCount',
+json_extract(events_persisted.payload,'$.data.TerminateCount') as 'TerminateCount',
+json_extract(events_persisted.payload,'$.data.CrashCount') as 'CrashCount',
+
+
+-- Target App Info
+case json_extract(events_persisted.payload,'$.data.TargetAppType') 
+	when 'Modern' then json_extract(events_persisted.payload,'$.data.TargetAppType')||" (UWP)"
+	when 'Desktop' then json_extract(events_persisted.payload,'$.data.TargetAppType')||" (Win)"
+ 	else json_extract(events_persisted.payload,'$.data.TargetAppType')
+	end as 'TargetAppIdType',
+
+-- Target Application Name
+case when substr(json_extract(events_persisted.payload,'$.data.TargetAppId'),1,1) is 'W' -- Windows Application x32/x64
+	then substr(json_extract(events_persisted.payload,'$.data.TargetAppId'),93) 
+	else substr(json_extract(events_persisted.payload,'$.data.TargetAppId'),3)
+	end as 'TargetAppId Name',	
+
+-- SHA1 Hash of the application that produced this event	
+case when substr(json_extract(events_persisted.payload,'$.data.TargetAppId'),1,1) is 'W' -- Windows Application x32/x64
+	then upper(substr(json_extract(events_persisted.payload,'$.data.TargetAppId'),52,40 ))
+	-- Same as the 'FileId' in Amcache.hve (Root\InventoryApplicationFile\)
+	end as 'Target AppId SHA1',	-- (SHA1 Base16) checked & verified 
+
+-- ProgramId of the application that produced this event	
+case when substr(json_extract(events_persisted.payload,'$.data.TargetAppId'),1,1) is 'W' -- Windows Application x32/x64
+	then upper(substr(json_extract(events_persisted.payload,'$.data.TargetAppId'),3,44 )) 
+	end as 'Target AppId ProgramId',   -- Same as the 'ProgramId' in Amcache.hve (Root\InventoryApplicationFile\)	
+
+-- Universal Windows Platform version info
+case when substr(json_extract(events_persisted.payload,'$.data.TargetAppId'),1,1) is 'W'
+	then substr(json_extract(events_persisted.payload,'$.data.TargetAppVer'),(instr(substr(json_extract(events_persisted.payload,'$.data.TargetAppVer'),22),'!')+22)) 
+	else substr(json_extract(events_persisted.payload,'$.data.TargetAppVer'),(instr(substr(json_extract(events_persisted.payload,'$.data.TargetAppVer'),22),'!%!')))  
+	end as 'TargetApp Ver',
+	
+	
+-- Local, MS or AAD account 
+trim(json_extract(events_persisted.payload,'$.ext.user.localId'),'m:') as 'UserId',
+sid as 'User SID',
+
+logging_binary_name
+
+from events_persisted
+where events_persisted.full_event_name like 'KernelProcess.AppStateChangeSummary%'
+
+ -- Sort by event date dscending (newest first)
+order by cast(events_persisted.timestamp as integer) desc
\ No newline at end of file