Add files via upload

3 years ago · d713f18cd4
parent e58f5f324c
commit d713f18cd4
7 changed files with 31 additions and 15 deletions
--- a/AppInteractivity.sql
+++ b/AppInteractivity.sql
@ -5,7 +5,6 @@
 -- from C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db
 -- For more info visit https://github.com/rathbuna/EventTranscript.db-Research 
 -- https://docs.microsoft.com/en-us/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields
-- https://arxiv.org/ftp/arxiv/papers/2002/2002.12506.pdf
 -- and "Forensic Quick Wins With EventTranscript.DB: Win32kTraceLogging" at
 -- https://www.kroll.com/en/insights/publications/cyber/forensically-unpacking-eventtranscript/forensic-quick-wins-with-eventtranscript

@ -17,11 +16,11 @@ json_extract(events_persisted.payload,'$.time') as 'UTC TimeStamp',
 -- Timestamp from json payload
 datetime((timestamp - 116444736000000000)/10000000, 'unixepoch','localtime') as 'Local TimeStamp',
 json_extract(events_persisted.payload,'$.ext.loc.tz') as 'TimeZome',
-json_extract(events_persisted.payload,'$.ext.utc.seq') as 'seq', -- 
+json_extract(events_persisted.payload,'$.ext.utc.seq') as 'seq', 

 -- events
 json_extract(events_persisted.payload,'$.data.EventSequence') as 'EventSequence', -- AppInteractivity% specific
-json_extract(events_persisted.payload,'$.data.AggregationStartTime') as 'AggregationStartTime', -- Start date and time of AppInteractivity aggregation
+json_extract(events_persisted.payload,'$.data.AggregationStartTime') as 'AggregationStartTime (UTC)', -- Start date and time of AppInteractivity aggregation
 time(json_extract(events_persisted.payload,'$.data.AggregationDurationMS'),'unixepoch') as 'AggregationDuration', -- Actual duration of aggregation period (in milliseconds)
 -- App name
 case when substr(json_extract(events_persisted.payload,'$.data.AppId'),1,1) is 'W' -- Windows Application x32/x64
@ -92,13 +91,16 @@ trim(json_extract(events_persisted.payload,'$.ext.user.localId'),'m:') as 'UserI
 sid as 'User SID',


+tag_descriptions.tag_name, -- where you'll see these events in MS Diagnostic Data Viewer app
 logging_binary_name


 from events_persisted 
+join event_tags on events_persisted.full_event_name_hash = event_tags.full_event_name_hash
+join tag_descriptions on event_tags.tag_id = tag_descriptions.tag_id 
 where 
 -- include events:
  events_persisted.full_event_name in ('Win32kTraceLogging.AppInteractivity','Win32kTraceLogging.AppInteractivitySummary' )

- -- Sort by event sequence number descending (newest first)
-order by cast(seq as integer) desc
+ -- Sort by event datedescending (newest first)
+order by cast(events_persisted.timestamp as integer) desc
--- a/Census.sql
+++ b/Census.sql
@ -38,5 +38,6 @@ where
  events_persisted.full_event_name like 'Census%' 

  
- -- Sort by event sequence number descending (newest first)
-order by cast(seq as integer) desc
+
+ -- Sort by event datedescending (newest first)
+order by cast(events_persisted.timestamp as integer) desc
--- a/ClientRunningTime.sql
+++ b/ClientRunningTime.sql
@ -68,5 +68,5 @@ json_extract(events_persisted.payload,'$.data.InterfaceId') as 'Interface Id'
 from events_persisted
 where events_persisted.full_event_name like '%DxgKrnlTelemetry.ClientRunningTime%'

- -- Sort by event sequence number descending (newest first)
-order by cast(seq as integer) desc
+ -- Sort by event datedescending (newest first)
+order by cast(events_persisted.timestamp as integer) desc
--- a/EventTranscript_GetEventNameList.sql
+++ b/EventTranscript_GetEventNameList.sql
@ -0,0 +1,9 @@
+-- List unigue Event Names from
+-- from C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db
+
+SELECT
+
+distinct events_persisted.full_event_name
+
+from events_persisted
+order by events_persisted.full_event_name asc
--- a/Microsoft.WebBrowser.sql
+++ b/Microsoft.WebBrowser.sql
@ -67,6 +67,5 @@ tag_descriptions.tag_name not like '%Device Connectivity and Configuration%' and
 tag_descriptions.tag_name not like '%Performance%' )


-
- -- Sort by event sequence number descending (newest first)
-order by cast(seq as integer) desc
+ -- Sort by event datedescending (newest first)
+order by cast(events_persisted.timestamp as integer) desc
--- a/MobilityExperience.YourPhone.sql
+++ b/MobilityExperience.YourPhone.sql
@ -52,4 +52,7 @@ and events_persisted.full_event_name not like 'Microsoft.Windows.MobilityExperie
 and events_persisted.full_event_name not like 'Microsoft.Windows.MobilityExperience.YourPhone.Cdm%'   -- Content delivery diagnostics
 and events_persisted.full_event_name not like 'Microsoft.Windows.MobilityExperience.YourPhone.FullTrustServerCreateFactory%' -- Before sent message
 and events_persisted.full_event_name not like 'Microsoft.Windows.MobilityExperience.YourPhone.AppServiceCanceled%'           -- After sent message
-order by events_persisted.timestamp desc
+
+
+ -- Sort by event datedescending (newest first)
+order by cast(events_persisted.timestamp as integer) desc
--- a/NetworkingTriage.sql
+++ b/NetworkingTriage.sql
@ -123,5 +123,7 @@ and events_persisted.full_event_name not like '%MediaConnected%'
 and events_persisted.full_event_name not like '%DhcpSetEventInRenewState%'
 and events_persisted.full_event_name not like '%SolicitAttempt%'
 and events_persisted.full_event_name not like '%InterfaceCapabilityChangedEvent%'
-- Sort by date descending (newest first)
-order by events_persisted.timestamp desc
+
+
+ -- Sort by event datedescending (newest first)
+order by cast(events_persisted.timestamp as integer) desc