diff --git a/ClientRunningTime.sql b/ClientRunningTime.sql
index 3390da9..e35d09f 100644
--- a/ClientRunningTime.sql
+++ b/ClientRunningTime.sql
@@ -50,11 +50,11 @@ case json_extract(events_persisted.payload,'$.data.IsWslProcess')
 	
 -- SHA1 Hash of the application that produced this event	
 case when substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1) is 'W' -- Windows Application x32/x64
-	then upper(substr(json_extract(events_persisted.payload,'$.ext.app.id'),52,44 ))
+	then upper(substr(json_extract(events_persisted.payload,'$.ext.app.id'),52,40 ))
 	-- Same as the 'FileId' in Amcache.hve (Root\InventoryApplicationFile\)
 	end as 'SHA1',	-- (SHA1 Base16) checked & verified 
 
--- Version of the application that produced this event	
+-- ProgramId of the application that produced this event	
 case when substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1) is 'W' -- Windows Application x32/x64
 	then upper(substr(json_extract(events_persisted.payload,'$.ext.app.id'),3,44 )) 
 	end as 'ProgramId',   -- Same as the 'ProgramId' in Amcache.hve (Root\InventoryApplicationFile\)	
diff --git a/EventTranscript_GetEventNameList.sql b/EventTranscript_GetEventNameList.sql
index 88b770e..be58072 100644
--- a/EventTranscript_GetEventNameList.sql
+++ b/EventTranscript_GetEventNameList.sql
@@ -1,9 +1,13 @@
--- List unique Event Names from
+-- List unigue Event Names from
 -- from C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db
 
 SELECT
 
-distinct events_persisted.full_event_name
+events_persisted.full_event_name,
+count(events_persisted.full_event_name) as count
+-- events_persisted.payload
 
 from events_persisted
-order by events_persisted.full_event_name asc
+-- where events_persisted.full_event_name like '%Defender%'
+group by events_persisted.full_event_name
+order by events_persisted.full_event_name asc
\ No newline at end of file