EventTranscript DB
Overview
Evidence: EventTranscript DB Description: Collect EventTranscript DB Category: System Platform: Windows Short Name: evnttrscdb Is Parsed: Yes - SQLite database is parsed into structured tables Sent to Investigation Hub: Yes Collect File(s): No
Background
EventTranscript.db is a SQLite database maintained by Windows for diagnostic data and telemetry. It contains detailed information about application inventory, browser history, WiFi connections, device installations, and other system events.
This database provides unique forensic artifacts not available in other Windows logs, including granular application usage data, WiFi access point history, and detailed system inventory information.
Data Collected
Browser History
SID
User security identifier
S-1-5-21-...
Username
Username
DOMAIN\user
AccessTime
URL access timestamp
2023-10-15T14:30:00
URL
Visited URL
https://www.example.com
Inventory Application
SID
User security identifier
S-1-5-21-...
Username
Username
DOMAIN\user
ProgramName
Application name
Google Chrome
InstallPath
Installation path
C:\Program Files\Google\Chrome
OSVersion
OS version at install time
10.0.19041
InstallDate
Installation timestamp
2023-10-01T10:00:00
Version
Application version
118.0.5993.89
Wireless Scan Results
SID
User security identifier
S-1-5-21-...
Username
Username
DOMAIN\user
AccessTime
Scan timestamp
2023-10-15T14:30:00
SSID
WiFi network name
Corporate-WiFi
MACAddress
Access point MAC address
00:11:22:33:44:55
User Default
SID
User security identifier
S-1-5-21-...
Username
Username
DOMAIN\user
DeviceMake
Device manufacturer
Dell Inc.
DeviceModel
Device model
Latitude 7490
TimeZone
User time zone
America/New_York
DefaultBrowser
Default browser ProgID
ChromeHTML
DefaultApp
Default app for file types
Physical Disk Info
DeviceId
Device identifier
\.\PHYSICALDRIVE0
SerialNumber
Disk serial number
S4BXNX0N123456
Size
Disk size in bytes
512110190592
NumPartitions
Number of partitions
4
BytesPerSector
Bytes per sector
512
MediaType
Media type
SSD
WiFi Connected Event
SID
User security identifier
S-1-5-21-...
Username
Username
DOMAIN\user
InterfaceGuid
Network interface GUID
{12345678-1234-1234-1234-123456789ABC}
InterfaceType
Interface type
71
InterfaceDescription
Interface description
Intel(R) Wireless-AC 9560
SSID
Connected WiFi network
Corporate-WiFi
AuthAlg
Authentication algorithm
WPA2PSK
BSSID
Access point MAC address
00:11:22:33:44:55
Manufacturer
AP manufacturer
Cisco
ModelName
AP model name
AIR-AP2802I
ModelNumber
AP model number
AP2802I
Inventory Device PnP
SID
User security identifier
S-1-5-21-...
Username
Username
DOMAIN\user
ObjectID
Device object identifier
PCI\VEN_8086&DEV_9D60
Service
Associated service
nvme
FirstInstallDate
First installation
2023-01-15T10:00:00
InstallDate
Last installation
2023-10-01T14:00:00
Model
Device model
Samsung SSD 970 EVO
Manufacturer
Device manufacturer
Samsung
Collection Method
This collector:
Collects the EventTranscript database from
ProgramData\Microsoft\Diagnosis\EventTranscriptOpens the SQLite database
Queries specific event types using SQL
Parses JSON payloads from event records
Extracts and structures data into separate tables
Also exports raw event data organized by tags to CSV files
Usage
EventTranscript provides unique telemetry data not available in traditional Windows logs. Investigators use this for historical browser activity tracking, application installation timelines, WiFi network history and geolocation, device installation tracking, user behavior patterns, and system configuration analysis.
Known Limitations
Only available on Windows 10 and later
Database may be locked by diagnostic service
Telemetry level affects data availability
Some users/organizations disable telemetry
Data retention varies based on configuration
Notes
EventTranscript.db can contain surprisingly detailed information including full URLs, WiFi networks with access point details, and granular application usage. The database format can change between Windows versions.
Last updated
Was this helpful?