diff --git a/AppInteractivity.sql b/AppInteractivity.sql index 1523ba9..0339a80 100644 --- a/AppInteractivity.sql +++ b/AppInteractivity.sql @@ -5,7 +5,6 @@ -- from C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db -- For more info visit https://github.com/rathbuna/EventTranscript.db-Research -- https://docs.microsoft.com/en-us/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields --- https://arxiv.org/ftp/arxiv/papers/2002/2002.12506.pdf -- and "Forensic Quick Wins With EventTranscript.DB: Win32kTraceLogging" at -- https://www.kroll.com/en/insights/publications/cyber/forensically-unpacking-eventtranscript/forensic-quick-wins-with-eventtranscript @@ -17,11 +16,11 @@ json_extract(events_persisted.payload,'$.time') as 'UTC TimeStamp', -- Timestamp from json payload datetime((timestamp - 116444736000000000)/10000000, 'unixepoch','localtime') as 'Local TimeStamp', json_extract(events_persisted.payload,'$.ext.loc.tz') as 'TimeZome', -json_extract(events_persisted.payload,'$.ext.utc.seq') as 'seq', -- +json_extract(events_persisted.payload,'$.ext.utc.seq') as 'seq', -- events json_extract(events_persisted.payload,'$.data.EventSequence') as 'EventSequence', -- AppInteractivity% specific -json_extract(events_persisted.payload,'$.data.AggregationStartTime') as 'AggregationStartTime', -- Start date and time of AppInteractivity aggregation +json_extract(events_persisted.payload,'$.data.AggregationStartTime') as 'AggregationStartTime (UTC)', -- Start date and time of AppInteractivity aggregation time(json_extract(events_persisted.payload,'$.data.AggregationDurationMS'),'unixepoch') as 'AggregationDuration', -- Actual duration of aggregation period (in milliseconds) -- App name case when substr(json_extract(events_persisted.payload,'$.data.AppId'),1,1) is 'W' -- Windows Application x32/x64 @@ -92,13 +91,16 @@ trim(json_extract(events_persisted.payload,'$.ext.user.localId'),'m:') as 'UserI sid as 'User SID', +tag_descriptions.tag_name, -- where you'll see these events in MS Diagnostic Data Viewer app logging_binary_name from events_persisted +join event_tags on events_persisted.full_event_name_hash = event_tags.full_event_name_hash +join tag_descriptions on event_tags.tag_id = tag_descriptions.tag_id where -- include events: events_persisted.full_event_name in ('Win32kTraceLogging.AppInteractivity','Win32kTraceLogging.AppInteractivitySummary' ) - -- Sort by event sequence number descending (newest first) -order by cast(seq as integer) desc \ No newline at end of file + -- Sort by event datedescending (newest first) +order by cast(events_persisted.timestamp as integer) desc \ No newline at end of file diff --git a/Census.sql b/Census.sql index 6bf2b0c..43f8850 100644 --- a/Census.sql +++ b/Census.sql @@ -38,5 +38,6 @@ where events_persisted.full_event_name like 'Census%' - -- Sort by event sequence number descending (newest first) -order by cast(seq as integer) desc \ No newline at end of file + + -- Sort by event datedescending (newest first) +order by cast(events_persisted.timestamp as integer) desc \ No newline at end of file diff --git a/ClientRunningTime.sql b/ClientRunningTime.sql index 9895347..bf0a599 100644 --- a/ClientRunningTime.sql +++ b/ClientRunningTime.sql @@ -68,5 +68,5 @@ json_extract(events_persisted.payload,'$.data.InterfaceId') as 'Interface Id' from events_persisted where events_persisted.full_event_name like '%DxgKrnlTelemetry.ClientRunningTime%' - -- Sort by event sequence number descending (newest first) -order by cast(seq as integer) desc \ No newline at end of file + -- Sort by event datedescending (newest first) +order by cast(events_persisted.timestamp as integer) desc \ No newline at end of file diff --git a/EventTranscript_GetEventNameList.sql b/EventTranscript_GetEventNameList.sql new file mode 100644 index 0000000..12745d0 --- /dev/null +++ b/EventTranscript_GetEventNameList.sql @@ -0,0 +1,9 @@ +-- List unigue Event Names from +-- from C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db + +SELECT + +distinct events_persisted.full_event_name + +from events_persisted +order by events_persisted.full_event_name asc \ No newline at end of file diff --git a/Microsoft.WebBrowser.sql b/Microsoft.WebBrowser.sql index 2b2235f..a39519b 100644 --- a/Microsoft.WebBrowser.sql +++ b/Microsoft.WebBrowser.sql @@ -67,6 +67,5 @@ tag_descriptions.tag_name not like '%Device Connectivity and Configuration%' and tag_descriptions.tag_name not like '%Performance%' ) - - -- Sort by event sequence number descending (newest first) -order by cast(seq as integer) desc \ No newline at end of file + -- Sort by event datedescending (newest first) +order by cast(events_persisted.timestamp as integer) desc \ No newline at end of file diff --git a/MobilityExperience.YourPhone.sql b/MobilityExperience.YourPhone.sql index aca54af..25ca612 100644 --- a/MobilityExperience.YourPhone.sql +++ b/MobilityExperience.YourPhone.sql @@ -52,4 +52,7 @@ and events_persisted.full_event_name not like 'Microsoft.Windows.MobilityExperie and events_persisted.full_event_name not like 'Microsoft.Windows.MobilityExperience.YourPhone.Cdm%' -- Content delivery diagnostics and events_persisted.full_event_name not like 'Microsoft.Windows.MobilityExperience.YourPhone.FullTrustServerCreateFactory%' -- Before sent message and events_persisted.full_event_name not like 'Microsoft.Windows.MobilityExperience.YourPhone.AppServiceCanceled%' -- After sent message -order by events_persisted.timestamp desc \ No newline at end of file + + + -- Sort by event datedescending (newest first) +order by cast(events_persisted.timestamp as integer) desc \ No newline at end of file diff --git a/NetworkingTriage.sql b/NetworkingTriage.sql index 646f3f3..ffcc014 100644 --- a/NetworkingTriage.sql +++ b/NetworkingTriage.sql @@ -123,5 +123,7 @@ and events_persisted.full_event_name not like '%MediaConnected%' and events_persisted.full_event_name not like '%DhcpSetEventInRenewState%' and events_persisted.full_event_name not like '%SolicitAttempt%' and events_persisted.full_event_name not like '%InterfaceCapabilityChangedEvent%' --- Sort by date descending (newest first) -order by events_persisted.timestamp desc \ No newline at end of file + + + -- Sort by event datedescending (newest first) +order by cast(events_persisted.timestamp as integer) desc \ No newline at end of file