Mon, Aug 23, 2021

Enabling EventTranscript.db: Windows Settings

In Kroll’s testing, EventTranscript.db and the features it serves as the backend for are not enabled by default on Windows 10. Diagnostic Data Viewer is required to view the data live stored within EventTranscript.db. However, Diagnostic Data Viewer needs to be downloaded from the Microsoft Store. Additionally, Diagnostic Data needs to be enabled by the end user before EventTranscript.db will be enabled. Kroll applied a certain method using both of these elements to populate EventTranscript.db from a fresh install of Windows 10.

Our experts observed two different options regarding Diagnostic Data: Required and Optional. We have associated Optional with Data Sampling, leading to much more verbose diagnostic and telemetry logging by Windows. While there is still useful data logged with Required, Optional allows the end user to open their system to participate in Microsoft’s Data Sampling. We have yet to understand how exactly Microsoft chooses which systems to be part of Data Sampling, but we understand that enabling Optional Diagnostic Data is the first step.

To enable EventTranscript.db, go to the Windows Start menu and type the following: Diagnostics and Feedback Settings. Within that menu, enable the options shown in Figure 1.

Enabling EventTranscript

Figure 1: Diagnostics and Feedback Settings

In order to force the database to show up on the File System, toggle View Diagnostic Data to On, and click on the start menu once enabled, as seen in Figure 2

Enabling EventTranscript

Figure 2: Enabling EventTranscript.db through Diagnostic Data Viewer

Our experts determined this is the quickest way to get the database to populate upon enabling it for the first time on Windows 10. Once enabled, the system will eventually create the file and populate the database. We found using a tool like Everything can be used to monitor the folder path where EventTranscript.db resides; it’s the easiest way to observe its first appearance on the file system once enabled.

In Windows 11, we observed that partaking in the Developer Insider Preview appears to require Optional Diagnostic Data with Data Sampling. As of the date of this publication, this appears to be the best way for an examiner to dive into this database with the most verbose logging enabled by default. It does not appear anything has changed between Windows 10 and Windows 11 regarding how this database is enabled, which events are recorded or how events are recorded.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.

Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.