Mon, Aug 23, 2021
Enabling EventTranscript.db: Windows Settings
Executive Summary
Aug 23, 2021
Diving Deeper into EventTranscript.db
Aug 23, 2021
Parsing EventTranscript.db With KAPE and SQLECmd
Jul 09, 2021
EventTranscript.db vs .rbs Files and Their Relation to DiagTrack
Jul 09, 2021
Enabling EventTranscript.db: Windows Settings
Aug 23, 2021
EventTranscript.db and Security Events
Aug 23, 2021
Diagnostic Data Viewer Overview
Aug 23, 2021
Parsing Diagnostic Data With Powershell and Enhanced Logging
Jul 09, 2021
Navigating EventTranscript.db With Diagnostic Data Viewer
Aug 23, 2021
Forensic Quick Wins With EventTranscript.DB: Win32kTraceLogging
Jul 09, 2021
Forensic Quick Wins With EventTranscript.DB: Microsoft.Windows.Clipboard
History.Service
Aug 23, 2021
- View all articles
In Kroll’s testing, EventTranscript.db and the features it serves as the backend for are not enabled by default on Windows 10. Diagnostic Data Viewer is required to view the data live stored within EventTranscript.db. However, Diagnostic Data Viewer needs to be downloaded from the Microsoft Store. Additionally, Diagnostic Data needs to be enabled by the end user before EventTranscript.db will be enabled. Kroll applied a certain method using both of these elements to populate EventTranscript.db from a fresh install of Windows 10.
Our experts observed two different options regarding Diagnostic Data: Required and Optional. We have associated Optional with Data Sampling, leading to much more verbose diagnostic and telemetry logging by Windows. While there is still useful data logged with Required, Optional allows the end user to open their system to participate in Microsoft’s Data Sampling. We have yet to understand how exactly Microsoft chooses which systems to be part of Data Sampling, but we understand that enabling Optional Diagnostic Data is the first step.
To enable EventTranscript.db, go to the Windows Start menu and type the following: Diagnostics and Feedback Settings. Within that menu, enable the options shown in Figure 1.
Figure 1: Diagnostics and Feedback Settings
In order to force the database to show up on the File System, toggle View Diagnostic Data to On, and click on the start menu once enabled, as seen in Figure 2
Figure 2: Enabling EventTranscript.db through Diagnostic Data Viewer
Our experts determined this is the quickest way to get the database to populate upon enabling it for the first time on Windows 10. Once enabled, the system will eventually create the file and populate the database. We found using a tool like Everything can be used to monitor the folder path where EventTranscript.db resides; it’s the easiest way to observe its first appearance on the file system once enabled.
In Windows 11, we observed that partaking in the Developer Insider Preview appears to require Optional Diagnostic Data with Data Sampling. As of the date of this publication, this appears to be the best way for an examiner to dive into this database with the most verbose logging enabled by default. It does not appear anything has changed between Windows 10 and Windows 11 regarding how this database is enabled, which events are recorded or how events are recorded.
Cyber Risk
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
24x7 Incident Response
Enlist experienced responders to handle the entire security incident lifecycle.
Data Recovery and Forensic Analysis
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Cyber Risk Retainer
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Computer Forensics
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
Kroll Artifact Parser And Extractor (KAPE)
Find, collect and process forensically useful artifacts in minutes.
Data Collection and Preservation
Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.