From 6ab2c27330ebed74746fe8f464bc312ce7698d05 Mon Sep 17 00:00:00 2001 From: Costas K <11378310+kacos2000@users.noreply.github.com> Date: Sun, 18 Jul 2021 19:30:43 +0300 Subject: [PATCH] Add files via upload --- UAC.sql | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/UAC.sql b/UAC.sql index 717e611..6c2c74f 100644 --- a/UAC.sql +++ b/UAC.sql @@ -1,5 +1,6 @@ -- Diagnostic Windows User Account Controls (UAC), formerly known as Limited User Account (LUA) --- (93C05D69-51A3-485E-877F-1806A8731346) +-- from 93C05D69-51A3-485E-877F-1806A8731346.16001_0 +-- and Microsoft.Windows.Security.LUA.ConsentUILaunched -- from C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db SELECT @@ -14,9 +15,22 @@ cast(json_extract(events_persisted.payload,'$.ext.utc.seq') as INTEGER) as 'seq' -- Event json_extract(events_persisted.payload,'$.data.EventId') as 'EventId', -json_extract(events_persisted.payload,'$.data.UACElevateFileID') as 'UACElevateFileID', - -json_extract(events_persisted.payload,'$.data.EventId') as 'EventId', +json_extract(events_persisted.payload,'$.data.friendlyName') as 'friendlyName', +coalesce(json_extract(events_persisted.payload,'$.data.UACElevateFileID'),json_extract(events_persisted.payload,'$.data.exeName')) as 'UACElevateFileID', +json_extract(events_persisted.payload,'$.data.publisherName') as 'publisherName', +-- https://gist.github.com/Elm0D/de94d428ef8c45b7cd24409b5c343a33 +json_extract(events_persisted.payload,'$.data.cmdLine') as 'cmdLine', +-- List of COM objects with enabled elevation: +-- https://docs.microsoft.com/en-us/dotnet/api/java.security.signaturestate?view=xamarin-android-sdk-9 +case json_extract(events_persisted.payload,'$.data.signatureState') + when 0 then 'Unchecked' + when 1 then 'Unsigned' -- ?? + when 2 then 'Sign' + when 3 then 'Verify' + else json_extract(events_persisted.payload,'$.data.signatureState') + end as 'signatureState', +json_extract(events_persisted.payload,'$.data.elevationReason') as 'elevationReason', +json_extract(events_persisted.payload,'$.data.eventType') as 'eventType', -- Local, MS or AAD account trim(json_extract(events_persisted.payload,'$.ext.user.localId'),'m:') as 'UserId', @@ -26,7 +40,8 @@ logging_binary_name from events_persisted -where events_persisted.full_event_name like '%93C05D69-51A3-485E-877F-1806A8731346.16001_0%' +where events_persisted.full_event_name like '%93C05D69-51A3-485E-877F-1806A8731346.16001_0%' or +events_persisted.full_event_name like 'Microsoft.Windows.Security.LUA.ConsentUILaunched%' -- Sort by event date dscending (newest first)