Fri, Jul 9, 2021
Parsing Diagnostic Data With Powershell and Enhanced Logging
Executive Summary
Jul 09, 2021
Diving Deeper into EventTranscript.db
Aug 23, 2021
Parsing EventTranscript.db With KAPE and SQLECmd
Jul 09, 2021
EventTranscript.db vs .rbs Files and Their Relation to DiagTrack
Jul 09, 2021
Enabling EventTranscript.db: Windows Settings
Aug 23, 2021
EventTranscript.db and Security Events
Aug 23, 2021
Diagnostic Data Viewer Overview
Aug 23, 2021
Parsing Diagnostic Data With Powershell and Enhanced Logging
Jul 09, 2021
Navigating EventTranscript.db With Diagnostic Data Viewer
Aug 23, 2021
Forensic Quick Wins With EventTranscript.DB: Win32kTraceLogging
Jul 09, 2021
Forensic Quick Wins With EventTranscript.DB: Microsoft.Windows.Clipboard
History.Service
Aug 23, 2021
- View all articles

EventTranscript.db can be parsed with PowerShell. To interact with the service and retrieve the database contents, you need to install the Microsoft.DiagnosticsDataViewer PowerShell module as outlined by Microsoft here. Additionally, the module is also available at PSGallery here.
Usage of the PowerShell module is straightforward but suffers from minor issues. The module allows for control of the logging capabilities provided by the DiagTrack service. However, it requires installation of the Diagnostic Data Viewer application from the Microsoft Store. Once that is installed, diagnostic data viewing can be enabled via the Enable-DiagnosticDataViewing cmdlet (Figure 1).
Figure 1: “Enable-DiagnosticDataViewing” Cmdlet
Viewing the various categories of diagnostic data is accomplished by using the Get-DiagnosticDataCategories cmdlet. The documentation at (https://docs.microsoft.com/en-us/powershell/module/microsoft.diagnosticdataviewer/?view=windowsserver2019-ps) lists the cmdlet as Get-DiagnosticDataTypes. As shown in Figure 2, this is incorrect.
Figure 2: Enumeration of Data Collection Types
Next, we can extract various diagnostic data and apply filters. The output is typically provided as JSON (Figure 3), but we can also export the data as a CSV.
Figure 3: JSON Output
Enhanced Logging
Enhanced logging of telemetry data provided by the DiagTrack service is enabled by selecting the Optional diagnostic data option from the Diagnostics and feedback section in Windows Settings (Figure 4). However, on several systems where we tested the logging functionality of the DiagTrack service, the Optional diagnostic data option was greyed out in the GUI.
Figure 4:“Optional diagnostic data” Option
To manually enable the additional logging capabilities of the service, we can modify the following registry keys to contain a DWORD value of 0x00000003. This value correlates to the Optional diagnostic data setting as shown above.
Figure 5: Registry Settings
Figure 6: Registry Location
Once it is enabled, we can toggle the optional data collection categories.
Figure 7: Optional Data Collection Selection
Optional data collection enables us to record web traffic visited by Internet Explorer and Microsoft Edge. The telemetry collection appears to be enabled via the Aria telemetry collection packages. Settings for these packages can be found under the registry keys (Figure 8).
Figure 8: Settings for Aria Telemetry Collection Packages
Unfortunately, web traffic from Firefox and Google Chrome does not appear to be collected. However, we can determine partial URL and navigation time from the navigationUrlBytes and time fields of the Browser History diagnostic data category. As shown in Figure 9, the navigationUrlBytes field contains the value 0x646F67732E676F6F676C652E636F6D. Decoded to text, this field contains the domain name and top-level domain (TLD) values google.com.
Figure 9: “navigationUrlBytes” Field
Cyber Risk
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
24x7 Incident Response
Enlist experienced responders to handle the entire security incident lifecycle.
Data Recovery and Forensic Analysis
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Cyber Risk Retainer
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Computer Forensics
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
Kroll Artifact Parser And Extractor (KAPE)
Find, collect and process forensically useful artifacts in minutes.
Data Collection and Preservation
Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.