-- Diagnostic -- Win32kTraceLogging.AppInteractivity & -- Win32kTraceLogging.AppInteractivitySummary -- -- from C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db -- For more info visit https://github.com/rathbuna/EventTranscript.db-Research -- https://docs.microsoft.com/en-us/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields -- and "Forensic Quick Wins With EventTranscript.DB: Win32kTraceLogging" at -- https://www.kroll.com/en/insights/publications/cyber/forensically-unpacking-eventtranscript/forensic-quick-wins-with-eventtranscript SELECT --Timestamp from db field json_extract(events_persisted.payload,'$.time') as 'UTC TimeStamp', -- Timestamp from json payload datetime((timestamp - 116444736000000000)/10000000, 'unixepoch','localtime') as 'Local TimeStamp', json_extract(events_persisted.payload,'$.ext.loc.tz') as 'TimeZome', json_extract(events_persisted.payload,'$.ext.utc.seq') as 'seq', -- events json_extract(events_persisted.payload,'$.data.EventSequence') as 'EventSequence', -- AppInteractivity% specific json_extract(events_persisted.payload,'$.data.AggregationStartTime') as 'AggregationStartTime (UTC)', -- Start date and time of AppInteractivity aggregation time(json_extract(events_persisted.payload,'$.data.AggregationDurationMS'),'unixepoch') as 'AggregationDuration', -- Actual duration of aggregation period (in milliseconds) -- App name case when substr(json_extract(events_persisted.payload,'$.data.AppId'),1,1) is 'W' -- Windows Application x32/x64 then substr(json_extract(events_persisted.payload,'$.data.AppId'),93) when substr(json_extract(events_persisted.payload,'$.data.AppId'),1,1) is 'U' -- Universal Windows App (UWP) then substr(json_extract(events_persisted.payload,'$.data.AppId'),3) else json_extract(events_persisted.payload,'$.data.AppId') -- just in case .. end as 'AppId', -- Focus case json_extract(events_persisted.payload,'$.data.FocusState') when 0 then 'Back' when 1 then 'In Focus' else json_extract(events_persisted.payload,'$.data.FocusState') end as 'FocusState', time(json_extract(events_persisted.payload,'$.data.FocusDurationMS'),'unixepoch') as 'FocusDuration', json_extract(events_persisted.payload,'$.data.FocusLostCount') as 'FocusLostCount', -- Number of times that an app lost focus during the aggregation period -- Version of the application that produced this event case when substr(json_extract(events_persisted.payload,'$.data.AppId'),1,1) is 'W' -- Windows Application x32/x64 then substr(json_extract(events_persisted.payload,'$.data.AppVersion'),1,19 ) end as 'AppVersion Date', -- Same as the 'LinkDate' in Amcache.hve (Root\InventoryApplicationFile\) case when substr(json_extract(events_persisted.payload,'$.data.AppId'),1,1) is 'W' -- Windows Application x32/x64 then substr(json_extract(events_persisted.payload,'$.data.AppVersion'),21,(instr(substr(json_extract(events_persisted.payload,'$.data.AppVersion'),21),'!')-1) ) end as 'PE Header CheckSum', -- PE Header CheckSum variable size (4-6) case substr(json_extract(events_persisted.payload,'$.data.AppId'),1,1) when 'W' then 'Win' -- Windows Application x32/x64 when 'U' then 'UWP' -- Universal Windows App (UWP) end as 'Type', case when substr(json_extract(events_persisted.payload,'$.data.AppId'),1,1) is 'W' -- Windows Application x32/x64 then substr(json_extract(events_persisted.payload,'$.data.AppVersion'),(instr(substr(json_extract(events_persisted.payload,'$.data.AppVersion'),22),'!')+22)) else json_extract(events_persisted.payload,'$.data.AppVersion') end as 'Executable', -- Window Size json_extract(events_persisted.payload,'$.data.WindowWidth')||'x'||json_extract(events_persisted.payload,'$.data.WindowHeight') as 'WindowSize(WxH)', -- Activity Durations in HH:MM::SS except MouseInputSec time(json_extract(events_persisted.payload,'$.data.FocusDurationMS'),'unixepoch') as 'FocusDuration', json_extract(events_persisted.payload,'$.data.MouseInputSec') as 'MouseInputSec', -- Total number of seconds during which there was mouse input (In Seconds) time(json_extract(events_persisted.payload,'$.data.InFocusDurationMS'),'unixepoch') as 'InFocusDuration', -- Total time (in milliseconds) the application had focus time(json_extract(events_persisted.payload,'$.data.UserActiveDurationMS'),'unixepoch') as 'UserActiveDuration', -- Total time that the user was active including all input methods time(json_extract(events_persisted.payload,'$.data.SinceFirstInteractivityMS'),'unixepoch') as 'SinceFirstInteractivity', -- in Milliseconds time(json_extract(events_persisted.payload,'$.data.UserOrDisplayActiveDurationMS'),'unixepoch') as 'UserOrDisplayActiveDuration', -- Total time the user was using the display -- Focus json_extract(events_persisted.payload,'$.data.FocusLostCount') as 'FocusLostCount', -- Number of times that an app lost focus during the aggregation period -- Tracking case when substr(json_extract(events_persisted.payload,'$.data.AppId'),1,1) is 'W' -- Windows Application x32/x64 then upper(substr(json_extract(events_persisted.payload,'$.data.AppId'),52,40)) -- (removed 0x0000 from the start of the hash) -- Same as the 'FileId' in Amcache.hve (Root\InventoryApplicationFile\) end as 'SHA1', -- (SHA1 Base16) checked & verified case when substr(json_extract(events_persisted.payload,'$.data.AppId'),1,1) is 'W' -- Windows Application x32/x64 then upper(substr(json_extract(events_persisted.payload,'$.data.AppId'),3,44)) end as 'ProgramId', -- Same as the 'ProgramId' in Amcache.hve (Root\InventoryApplicationFile\) upper(json_extract(events_persisted.payload,'$.data.AppSessionId')) as 'AppSessionId', -- Local, MS or AAD account trim(json_extract(events_persisted.payload,'$.ext.user.localId'),'m:') as 'UserId', sid as 'User SID', tag_descriptions.tag_name, -- where you'll see these events in MS Diagnostic Data Viewer app logging_binary_name from events_persisted join event_tags on events_persisted.full_event_name_hash = event_tags.full_event_name_hash join tag_descriptions on event_tags.tag_id = tag_descriptions.tag_id where -- include events: events_persisted.full_event_name in ('Win32kTraceLogging.AppInteractivity','Win32kTraceLogging.AppInteractivitySummary' ) -- Sort by event datedescending (newest first) order by cast(events_persisted.timestamp as integer) desc