Parsing Diagnostic Data With Powershell and Enhanced Logging

  • Devon Ackerman Devon Ackerman
  • Josh Mitchell Josh Mitchell

Parsing Diagnostic Data With Powershell and Enhanced Logging

EventTranscript.db can be parsed with PowerShell. To interact with the service and retrieve the database contents, you need to install the Microsoft.DiagnosticsDataViewer PowerShell module as outlined by Microsoft here. Additionally, the module is also available at PSGallery here.

Usage of the PowerShell module is straightforward but suffers from minor issues. The module allows for control of the logging capabilities provided by the DiagTrack service. However, it requires installation of the Diagnostic Data Viewer application from the Microsoft Store. Once that is installed, diagnostic data viewing can be enabled via the Enable-DiagnosticDataViewing cmdlet (Figure 1).

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 1: “Enable-DiagnosticDataViewing” Cmdlet

Viewing the various categories of diagnostic data is accomplished by using the Get-DiagnosticDataCategories cmdlet. The documentation at (https://docs.microsoft.com/en-us/powershell/module/microsoft.diagnosticdataviewer/?view=windowsserver2019-ps) lists the cmdlet as Get-DiagnosticDataTypes. As shown in Figure 2, this is incorrect.

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 2: Enumeration of Data Collection Types 

Next, we can extract various diagnostic data and apply filters. The output is typically provided as JSON (Figure 3), but we can also export the data as a CSV.

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 3: JSON Output

Enhanced Logging

Enhanced logging of telemetry data provided by the DiagTrack service is enabled by selecting the Optional diagnostic data option from the Diagnostics and feedback section in Windows Settings (Figure 4). However, on several systems where we tested the logging functionality of the DiagTrack service, the Optional diagnostic data option was greyed out in the GUI.

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 4:“Optional diagnostic data” Option

To manually enable the additional logging capabilities of the service, we can modify the following registry keys to contain a DWORD value of 0x00000003. This value correlates to the Optional diagnostic data setting as shown above.

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 5: Registry Settings 

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 6: Registry Location 

Once it is enabled, we can toggle the optional data collection categories.

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 7: Optional Data Collection Selection

Optional data collection enables us to record web traffic visited by Internet Explorer and Microsoft Edge. The telemetry collection appears to be enabled via the Aria telemetry collection packages. Settings for these packages can be found under the registry keys (Figure 8).

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 8: Settings for Aria Telemetry Collection Packages

Unfortunately, web traffic from Firefox and Google Chrome does not appear to be collected. However, we can determine partial URL and navigation time from the navigationUrlBytes and time fields of the Browser History diagnostic data category. As shown in Figure 9, the navigationUrlBytes field contains the value 0x646F67732E676F6F676C652E636F6D. Decoded to text, this field contains the domain name and top-level domain (TLD) values google.com.

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 9: “navigationUrlBytes” Field

Parsing Diagnostic Data With Powershell and Enhanced Logging 2021-07-09T00:00:00.0000000 /en/insights/publications/cyber/forensically-unpacking-eventtranscript/parsing-diagnostic-data-with-powershell-and-enhanced-logging /-/media/kroll/images/publications/featured-images/kape-artifact-parsing-event.jpg publication {E39587AD-8F0B-4FE2-865F-969BC5501096} {3A077BFC-C74A-40AF-A14C-13BCF6E3873E} {CE2347F0-D222-4014-BA97-6A415CC633DF} {2F9D4938-E5F0-4F9C-9A20-C4A5DCF79130} {7A48DD95-1A63-4784-842F-A2BE81EAFE13} {09213578-A7CA-4DD8-AE97-7476022C89D6} {042F6B91-DC71-4D5F-BB23-BFA7E05A37CE}

Other Areas We Can Help

Cyber Risk

Cyber Risk

Global, end-to-end cyber risk solutions.

Cyber Risk
Incident Response and Litigation Support

24x7 Incident Response

Compliant notifications, reputation-saving remediation, and litigation support.

24x7 Incident Response
Cyber Risk Retainers

Cyber Risk Retainers

Secure a true cyber risk retainer with elite digital forensics and incident response capabilities.

Cyber Risk Retainers
Kroll Nominated in Two Categories at the Advisen Cyber Risk Awards

Computer Forensics

Expert computer forensic assistance at any stage of a digital investigation or litigation.

Computer Forensics
Incident Response and Litigation Support

Data Collection and Preservation

Collection and preservation of all electronic evidence including email servers, networks, and more.

Data Collection and Preservation