EventTranscript DB
Overview
Section titled “Overview”Evidence: EventTranscript DB
Description: Collect EventTranscript DB
Category: System
Platform: windows
Short Name: evnttrscdb
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”EventTranscript.db is a SQLite database maintained by Windows for diagnostic data and telemetry. It contains detailed information about application inventory, browser history, WiFi connections, device installations, and other system events.
This database provides unique forensic artifacts not available in other Windows logs, including granular application usage data, WiFi access point history, and detailed system inventory information.
Data Collected
Section titled “Data Collected”This collector gathers structured data about eventtranscript db.
EventTranscript DB Data
Section titled “EventTranscript DB Data”| Field | Description | Example |
|---|---|---|
SID | User security identifier | S-1-5-21-… |
Username | Username | DOMAIN\user |
AccessTime | URL access timestamp | 2023-10-15T14:30:00 |
URL | Visited URL | https://www.example.com |
SID | User security identifier | S-1-5-21-… |
Username | Username | DOMAIN\user |
ProgramName | Application name | Google Chrome |
InstallPath | Installation path | C:\Program Files\Google\Chrome |
OSVersion | OS version at install time | 10.0.19041 |
InstallDate | Installation timestamp | 2023-10-01T10:00:00 |
Version | Application version | 118.0.5993.89 |
SID | User security identifier | S-1-5-21-… |
Username | Username | DOMAIN\user |
AccessTime | Scan timestamp | 2023-10-15T14:30:00 |
SSID | WiFi network name | Corporate-WiFi |
MACAddress | Access point MAC address | 00:11:22:33:44:55 |
SID | User security identifier | S-1-5-21-… |
Username | Username | DOMAIN\user |
DeviceMake | Device manufacturer | Dell Inc. |
DeviceModel | Device model | Latitude 7490 |
TimeZone | User time zone | America/New_York |
DefaultBrowser | Default browser ProgID | ChromeHTML |
DefaultApp | Default app for file types | |
DeviceId | Device identifier | \.\PHYSICALDRIVE0 |
SerialNumber | Disk serial number | S4BXNX0N123456 |
Size | Disk size in bytes | 512110190592 |
NumPartitions | Number of partitions | 4 |
BytesPerSector | Bytes per sector | 512 |
MediaType | Media type | SSD |
SID | User security identifier | S-1-5-21-… |
Username | Username | DOMAIN\user |
InterfaceGuid | Network interface GUID | {12345678-1234-1234-1234-123456789ABC} |
InterfaceType | Interface type | 71 |
InterfaceDescription | Interface description | Intel(R) Wireless-AC 9560 |
SSID | Connected WiFi network | Corporate-WiFi |
AuthAlg | Authentication algorithm | WPA2PSK |
BSSID | Access point MAC address | 00:11:22:33:44:55 |
Manufacturer | AP manufacturer | Cisco |
ModelName | AP model name | AIR-AP2802I |
ModelNumber | AP model number | AP2802I |
SID | User security identifier | S-1-5-21-… |
Username | Username | DOMAIN\user |
ObjectID | Device object identifier | PCI\VEN_8086&DEV_9D60 |
Service | Associated service | nvme |
FirstInstallDate | First installation | 2023-01-15T10:00:00 |
InstallDate | Last installation | 2023-10-01T14:00:00 |
Model | Device model | Samsung SSD 970 EVO |
Manufacturer | Device manufacturer | Samsung |
SID | User security identifier | S-1-5-21-… |
UserName | Username | DOMAIN\user |
TimeStamp | Event timestamp | 2023-10-15T14:30:00.123Z |
ProducerId | Producer ID | 123 |
Producer | Producer name | Microsoft-Windows-Kernel-General |
ProviderGroupId | Provider group ID | 45 |
ProviderGroupGUID | Provider group GUID | {A68CA8B7-004F-D7B6…} |
LocaleName | Locale name | en-US |
TagName | Event tag name | BrowserHistory |
TagId | Event tag ID | 1 |
FullEventName | Complete event name | Microsoft.Windows.Shell.SystemSettings.AppDefaultsUpdated |
LoggingBinaryName | Logging binary | SystemSettings.exe |
FriendlyLoggingBinaryName | Friendly binary name | System Settings |
FullEventNameHash | Event name hash | 12345678901234567890 |
Keywords | Event keywords | 0x8000000000000000 |
IsCore | Is core event | true |
CompressedSize | Compressed payload size | 1024 |
Payload | JSON payload data | {“AppId”:“MSEdge”,“Url”:“https://…”} |
Collection Method
Section titled “Collection Method”This collector:
- Collects the EventTranscript database from
ProgramData\Microsoft\Diagnosis\EventTranscript - Opens the SQLite database
- Queries specific event types using SQL
- Parses JSON payloads from event records
- Extracts and structures data into separate tables
- Also exports raw event data organized by tags to CSV files
Forensic Value
Section titled “Forensic Value”EventTranscript provides unique telemetry data not available in traditional Windows logs. Investigators use this for historical browser activity tracking, application installation timelines, WiFi network history and geolocation, device installation tracking, user behavior patterns, and system configuration analysis.