Enabling EventTranscript

In Kroll’s testing, EventTranscript.db and the features it serves as the backend for are not enabled by default on Windows 10. Diagnostic Data Viewer is required to view the data live stored within EventTranscript.db. However, Diagnostic Data Viewer needs to be downloaded from the Microsoft Store. Additionally, Diagnostic Data needs to be enabled by the end user before EventTranscript.db will be enabled. Kroll applied a certain method using both of these elements to populate EventTranscript.db from a fresh install of Windows 10.

Our experts observed two different options regarding Diagnostic Data: Required and Optional. We have associated Optional with Data Sampling, leading to much more verbose diagnostic and telemetry logging by Windows. While there is still useful data logged with Required, Optional allows the end user to open their system to participate in Microsoft’s Data Sampling. We have yet to understand how exactly Microsoft chooses which systems to be part of Data Sampling, but we understand that enabling Optional Diagnostic Data is the first step.

To enable EventTranscript.db, go to the Windows Start menu and type the following: Diagnostics and Feedback Settings. Within that menu, enable the options shown in Figure 1.

Enabling EventTranscript

Figure 1: Diagnostics and Feedback Settings

In order to force the database to show up on the File System, toggle View Diagnostic Data to On, and click on the start menu once enabled, as seen in Figure 2

Enabling EventTranscript

Figure 2: Enabling EventTranscript.db through Diagnostic Data Viewer

Our experts determined this is the quickest way to get the database to populate upon enabling it for the first time on Windows 10. Once enabled, the system will eventually create the file and populate the database. We found using a tool like Everything can be used to monitor the folder path where EventTranscript.db resides; it’s the easiest way to observe its first appearance on the file system once enabled.

In Windows 11, we observed that partaking in the Developer Insider Preview appears to require Optional Diagnostic Data with Data Sampling. As of the date of this publication, this appears to be the best way for an examiner to dive into this database with the most verbose logging enabled by default. It does not appear anything has changed between Windows 10 and Windows 11 regarding how this database is enabled, which events are recorded or how events are recorded.

Enabling EventTranscript.db: Windows Settings 2021-08-23T00:00:00.0000000 /en/insights/publications/cyber/forensically-unpacking-eventtranscript/enabling-eventtranscript /-/media/kroll/images/publications/kape-eventtrasncript-batch-2/feature-image/enabling-eventtranscript.jpg publication {E39587AD-8F0B-4FE2-865F-969BC5501096} {3A077BFC-C74A-40AF-A14C-13BCF6E3873E} {CE2347F0-D222-4014-BA97-6A415CC633DF} {2F9D4938-E5F0-4F9C-9A20-C4A5DCF79130} {7A48DD95-1A63-4784-842F-A2BE81EAFE13} {09213578-A7CA-4DD8-AE97-7476022C89D6} {042F6B91-DC71-4D5F-BB23-BFA7E05A37CE}